Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
-
Size
115KB
-
MD5
7909fc1d969d674fc5f4fc9fa08af28a
-
SHA1
68d75e5ae16ec716377c86c4e79be281d28d0274
-
SHA256
757e139e9d70d76499da424b9a2897ac4d4159b1cdf51a93ffaf1c21c015e3b5
-
SHA512
c1e62a56c0fe584a54b7b696b67205e0d62b3d59eaeccbdce6f2fdb3203e25478d94d6856808c557a948f237f90f3c47a0a958a7a26f6a025ab564bd74af28fe
-
SSDEEP
3072:2wipi3bX02dweqqZAzBrR2t0QKBW+M4t/:nUi3bX02dw1qZAzCt1+ft
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation ZwQoIEww.exe -
Deletes itself 1 IoCs
pid Process 956 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 316 ZwQoIEww.exe 3036 zWIMoMgY.exe -
Loads dropped DLL 20 IoCs
pid Process 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZwQoIEww.exe = "C:\\Users\\Admin\\zEQwwUAo\\ZwQoIEww.exe" 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zWIMoMgY.exe = "C:\\ProgramData\\rOIMsQgs\\zWIMoMgY.exe" 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZwQoIEww.exe = "C:\\Users\\Admin\\zEQwwUAo\\ZwQoIEww.exe" ZwQoIEww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zWIMoMgY.exe = "C:\\ProgramData\\rOIMsQgs\\zWIMoMgY.exe" zWIMoMgY.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico ZwQoIEww.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2268 reg.exe 1620 reg.exe 2060 reg.exe 2768 reg.exe 1020 reg.exe 2464 reg.exe 2752 reg.exe 1176 reg.exe 2452 reg.exe 2728 reg.exe 2480 reg.exe 1996 reg.exe 2996 reg.exe 2044 reg.exe 2424 reg.exe 2212 reg.exe 2052 reg.exe 2212 reg.exe 2396 reg.exe 884 reg.exe 880 reg.exe 1652 reg.exe 2392 reg.exe 1928 reg.exe 1732 reg.exe 2156 reg.exe 1248 reg.exe 1032 reg.exe 2068 reg.exe 1720 reg.exe 2928 reg.exe 2396 reg.exe 2864 reg.exe 2140 reg.exe 1404 reg.exe 2528 reg.exe 1248 reg.exe 2208 reg.exe 1404 reg.exe 2672 reg.exe 1916 reg.exe 1036 reg.exe 2484 reg.exe 2468 reg.exe 868 reg.exe 1244 reg.exe 448 reg.exe 2060 reg.exe 1652 reg.exe 2876 reg.exe 1064 reg.exe 1456 reg.exe 1252 reg.exe 1848 reg.exe 2176 reg.exe 1280 reg.exe 2700 reg.exe 1424 reg.exe 2872 reg.exe 2680 reg.exe 1236 reg.exe 1564 reg.exe 2708 reg.exe 852 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2440 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2440 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1624 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1624 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1768 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1768 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1348 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1348 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2156 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2156 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2328 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2328 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1920 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1920 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1276 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1276 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1732 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1732 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 448 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 448 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1460 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1460 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2704 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2704 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 608 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 608 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2780 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2780 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 808 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 808 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 580 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 580 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1560 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1560 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2848 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2848 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1780 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1780 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3060 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3060 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 880 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 880 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2560 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2560 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1992 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1992 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1816 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1816 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2576 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2576 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2740 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2740 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2764 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2764 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2932 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2932 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1480 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1480 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2452 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2452 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 316 ZwQoIEww.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe 316 ZwQoIEww.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 316 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 28 PID 756 wrote to memory of 316 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 28 PID 756 wrote to memory of 316 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 28 PID 756 wrote to memory of 316 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 28 PID 756 wrote to memory of 3036 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 29 PID 756 wrote to memory of 3036 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 29 PID 756 wrote to memory of 3036 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 29 PID 756 wrote to memory of 3036 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 29 PID 756 wrote to memory of 2552 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 30 PID 756 wrote to memory of 2552 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 30 PID 756 wrote to memory of 2552 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 30 PID 756 wrote to memory of 2552 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 30 PID 2552 wrote to memory of 2668 2552 cmd.exe 32 PID 2552 wrote to memory of 2668 2552 cmd.exe 32 PID 2552 wrote to memory of 2668 2552 cmd.exe 32 PID 2552 wrote to memory of 2668 2552 cmd.exe 32 PID 756 wrote to memory of 2708 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 33 PID 756 wrote to memory of 2708 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 33 PID 756 wrote to memory of 2708 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 33 PID 756 wrote to memory of 2708 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 33 PID 756 wrote to memory of 2716 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 34 PID 756 wrote to memory of 2716 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 34 PID 756 wrote to memory of 2716 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 34 PID 756 wrote to memory of 2716 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 34 PID 756 wrote to memory of 2864 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 36 PID 756 wrote to memory of 2864 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 36 PID 756 wrote to memory of 2864 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 36 PID 756 wrote to memory of 2864 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 36 PID 756 wrote to memory of 2604 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 39 PID 756 wrote to memory of 2604 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 39 PID 756 wrote to memory of 2604 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 39 PID 756 wrote to memory of 2604 756 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 39 PID 2604 wrote to memory of 1504 2604 cmd.exe 41 PID 2604 wrote to memory of 1504 2604 cmd.exe 41 PID 2604 wrote to memory of 1504 2604 cmd.exe 41 PID 2604 wrote to memory of 1504 2604 cmd.exe 41 PID 2668 wrote to memory of 2488 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 42 PID 2668 wrote to memory of 2488 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 42 PID 2668 wrote to memory of 2488 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 42 PID 2668 wrote to memory of 2488 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 42 PID 2488 wrote to memory of 2440 2488 cmd.exe 44 PID 2488 wrote to memory of 2440 2488 cmd.exe 44 PID 2488 wrote to memory of 2440 2488 cmd.exe 44 PID 2488 wrote to memory of 2440 2488 cmd.exe 44 PID 2668 wrote to memory of 1280 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 45 PID 2668 wrote to memory of 1280 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 45 PID 2668 wrote to memory of 1280 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 45 PID 2668 wrote to memory of 1280 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 45 PID 2668 wrote to memory of 1720 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 46 PID 2668 wrote to memory of 1720 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 46 PID 2668 wrote to memory of 1720 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 46 PID 2668 wrote to memory of 1720 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 46 PID 2668 wrote to memory of 784 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 48 PID 2668 wrote to memory of 784 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 48 PID 2668 wrote to memory of 784 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 48 PID 2668 wrote to memory of 784 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 48 PID 2668 wrote to memory of 2036 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 50 PID 2668 wrote to memory of 2036 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 50 PID 2668 wrote to memory of 2036 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 50 PID 2668 wrote to memory of 2036 2668 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 50 PID 2036 wrote to memory of 2244 2036 cmd.exe 53 PID 2036 wrote to memory of 2244 2036 cmd.exe 53 PID 2036 wrote to memory of 2244 2036 cmd.exe 53 PID 2036 wrote to memory of 2244 2036 cmd.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe"C:\Users\Admin\zEQwwUAo\ZwQoIEww.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:316
-
-
C:\ProgramData\rOIMsQgs\zWIMoMgY.exe"C:\ProgramData\rOIMsQgs\zWIMoMgY.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3036
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2440 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"6⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"8⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1768 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"10⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"12⤵PID:352
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"14⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"16⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"18⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock19⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1276 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"20⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"22⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:448 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"24⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"26⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"28⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:608 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"30⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"32⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:808 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"34⤵PID:820
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:580 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"36⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"38⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"40⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"42⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"44⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:880 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"46⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"48⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"50⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"52⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2576 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"54⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"56⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"58⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"60⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"62⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"64⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock65⤵PID:2764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"66⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock67⤵PID:2108
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"68⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock69⤵PID:2356
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"70⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock71⤵PID:1160
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"72⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock73⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"74⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock75⤵PID:2964
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"76⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock77⤵PID:1236
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"78⤵
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock79⤵PID:2524
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"80⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock81⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"82⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock83⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"84⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock85⤵PID:2984
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"86⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock87⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"88⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock89⤵PID:2656
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"90⤵PID:604
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock91⤵PID:2800
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"92⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock93⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"94⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock95⤵PID:916
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"96⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock97⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"98⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock99⤵PID:1648
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"100⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock101⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"102⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock103⤵PID:844
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"104⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock105⤵PID:2216
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"106⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock107⤵PID:2060
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"108⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock109⤵PID:276
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"110⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock111⤵PID:2104
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"112⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock113⤵PID:2364
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"114⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock115⤵PID:1536
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"116⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock117⤵PID:784
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"118⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock119⤵PID:2036
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"120⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock121⤵PID:2732
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"122⤵PID:1696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-