Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
-
Size
242KB
-
MD5
17d62c14f00cca5fbfdfac29cdbbcf5b
-
SHA1
cd53da64ffad95f3e8f024eb07a126ae8742b504
-
SHA256
e7fc2a1ff4d393351b8bee27b7f7a342e4871422ca14f23ca6caf9730929470f
-
SHA512
62ecb6b53759f61a476f06e48dbe97c5c353532c2c72621d7a8e8d143f92f984d911c0131a440add14d4d9e910987f95a0254c346e42dc92ded513f6f422b671
-
SSDEEP
6144:wJq2iHYGmU+fkPxqWNLPo3yrEnpMTx0J/KcBlY5EE4Trzg22U:rHkU+sPxqWNL1oJRW4zgv
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (60) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation rQcsAYkc.exe -
Deletes itself 1 IoCs
pid Process 2632 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2808 kUkUgEUQ.exe 2068 rQcsAYkc.exe -
Loads dropped DLL 20 IoCs
pid Process 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\kUkUgEUQ.exe = "C:\\Users\\Admin\\VCAQsAIc\\kUkUgEUQ.exe" 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rQcsAYkc.exe = "C:\\ProgramData\\bCwYgIoA\\rQcsAYkc.exe" 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rQcsAYkc.exe = "C:\\ProgramData\\bCwYgIoA\\rQcsAYkc.exe" rQcsAYkc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\kUkUgEUQ.exe = "C:\\Users\\Admin\\VCAQsAIc\\kUkUgEUQ.exe" kUkUgEUQ.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico rQcsAYkc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 568 reg.exe 2092 reg.exe 2156 reg.exe 1892 reg.exe 2544 reg.exe 2756 reg.exe 2972 reg.exe 1564 reg.exe 2568 reg.exe 2452 reg.exe 1648 reg.exe 2788 reg.exe 2748 reg.exe 2784 reg.exe 1952 reg.exe 2148 reg.exe 2772 reg.exe 2168 reg.exe 1700 reg.exe 1632 reg.exe 2716 reg.exe 2092 reg.exe 2640 reg.exe 2364 reg.exe 2672 reg.exe 1732 reg.exe 604 reg.exe 2856 reg.exe 2528 reg.exe 2508 reg.exe 1672 reg.exe 784 reg.exe 1888 reg.exe 1788 reg.exe 2168 reg.exe 2756 reg.exe 1420 reg.exe 2544 reg.exe 2764 reg.exe 1860 reg.exe 888 reg.exe 2008 reg.exe 1468 reg.exe 628 reg.exe 2336 reg.exe 1016 reg.exe 1572 reg.exe 924 reg.exe 2348 reg.exe 2160 reg.exe 640 reg.exe 1460 reg.exe 2428 reg.exe 2700 reg.exe 2532 reg.exe 2956 reg.exe 2652 reg.exe 3040 reg.exe 2052 reg.exe 1252 reg.exe 2956 reg.exe 1092 reg.exe 536 reg.exe 2144 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2796 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2796 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 320 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 320 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2404 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2404 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1672 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1672 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2832 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2832 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2884 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2884 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1960 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1960 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 924 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 924 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1640 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1640 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1632 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1632 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2584 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2584 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1852 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1852 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2396 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2396 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 888 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 888 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2980 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2980 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2700 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2700 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2784 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2784 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2224 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2224 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1420 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1420 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 920 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 920 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2268 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2268 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2544 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2544 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 592 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 592 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2164 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2164 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1464 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 1464 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 620 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 620 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2840 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2840 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2124 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2124 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2792 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 2792 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 988 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 988 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2068 rQcsAYkc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe 2068 rQcsAYkc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2808 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 31 PID 2112 wrote to memory of 2808 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 31 PID 2112 wrote to memory of 2808 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 31 PID 2112 wrote to memory of 2808 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 31 PID 2112 wrote to memory of 2068 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 32 PID 2112 wrote to memory of 2068 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 32 PID 2112 wrote to memory of 2068 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 32 PID 2112 wrote to memory of 2068 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 32 PID 2112 wrote to memory of 2892 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 33 PID 2112 wrote to memory of 2892 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 33 PID 2112 wrote to memory of 2892 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 33 PID 2112 wrote to memory of 2892 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 33 PID 2112 wrote to memory of 2708 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 34 PID 2112 wrote to memory of 2708 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 34 PID 2112 wrote to memory of 2708 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 34 PID 2112 wrote to memory of 2708 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 34 PID 2112 wrote to memory of 1648 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 35 PID 2112 wrote to memory of 1648 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 35 PID 2112 wrote to memory of 1648 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 35 PID 2112 wrote to memory of 1648 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 35 PID 2112 wrote to memory of 2648 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 37 PID 2112 wrote to memory of 2648 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 37 PID 2112 wrote to memory of 2648 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 37 PID 2112 wrote to memory of 2648 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 37 PID 2112 wrote to memory of 2604 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 40 PID 2112 wrote to memory of 2604 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 40 PID 2112 wrote to memory of 2604 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 40 PID 2112 wrote to memory of 2604 2112 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 40 PID 2892 wrote to memory of 3028 2892 cmd.exe 43 PID 2892 wrote to memory of 3028 2892 cmd.exe 43 PID 2892 wrote to memory of 3028 2892 cmd.exe 43 PID 2892 wrote to memory of 3028 2892 cmd.exe 43 PID 2604 wrote to memory of 2420 2604 cmd.exe 44 PID 2604 wrote to memory of 2420 2604 cmd.exe 44 PID 2604 wrote to memory of 2420 2604 cmd.exe 44 PID 2604 wrote to memory of 2420 2604 cmd.exe 44 PID 3028 wrote to memory of 2044 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 45 PID 3028 wrote to memory of 2044 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 45 PID 3028 wrote to memory of 2044 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 45 PID 3028 wrote to memory of 2044 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 45 PID 2044 wrote to memory of 2796 2044 cmd.exe 47 PID 2044 wrote to memory of 2796 2044 cmd.exe 47 PID 2044 wrote to memory of 2796 2044 cmd.exe 47 PID 2044 wrote to memory of 2796 2044 cmd.exe 47 PID 3028 wrote to memory of 2052 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 48 PID 3028 wrote to memory of 2052 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 48 PID 3028 wrote to memory of 2052 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 48 PID 3028 wrote to memory of 2052 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 48 PID 3028 wrote to memory of 2352 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 49 PID 3028 wrote to memory of 2352 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 49 PID 3028 wrote to memory of 2352 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 49 PID 3028 wrote to memory of 2352 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 49 PID 3028 wrote to memory of 1852 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 50 PID 3028 wrote to memory of 1852 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 50 PID 3028 wrote to memory of 1852 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 50 PID 3028 wrote to memory of 1852 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 50 PID 3028 wrote to memory of 2620 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 53 PID 3028 wrote to memory of 2620 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 53 PID 3028 wrote to memory of 2620 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 53 PID 3028 wrote to memory of 2620 3028 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe 53 PID 2620 wrote to memory of 2256 2620 cmd.exe 56 PID 2620 wrote to memory of 2256 2620 cmd.exe 56 PID 2620 wrote to memory of 2256 2620 cmd.exe 56 PID 2620 wrote to memory of 2256 2620 cmd.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe"C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2808
-
-
C:\ProgramData\bCwYgIoA\rQcsAYkc.exe"C:\ProgramData\bCwYgIoA\rQcsAYkc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2068
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"6⤵PID:328
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:320 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"8⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"10⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1672 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"12⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"14⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"16⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock17⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1960 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"18⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:924 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"20⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock21⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1640 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"22⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"24⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"26⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1852 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"28⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"30⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:888 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"32⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"34⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"36⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"38⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"40⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"42⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:920 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"44⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock45⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2268 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"46⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"48⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:592 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"50⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"52⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"54⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:620 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"56⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock57⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"58⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"60⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"62⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:988 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"64⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock65⤵PID:2628
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"66⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock67⤵PID:2432
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"68⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock69⤵PID:2268
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"70⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock71⤵PID:2696
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"72⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock73⤵PID:2656
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"74⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock75⤵PID:1980
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"76⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock77⤵PID:1460
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"78⤵PID:580
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock79⤵PID:2648
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"80⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock81⤵PID:2960
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"82⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock83⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"84⤵PID:592
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock85⤵PID:272
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"86⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock87⤵PID:2592
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"88⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock89⤵PID:2288
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"90⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock91⤵PID:2260
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"92⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock93⤵PID:276
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"94⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock95⤵PID:2116
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"96⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock97⤵PID:2380
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"98⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock99⤵PID:2080
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"100⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock101⤵PID:2628
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"102⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock103⤵PID:236
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"104⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock105⤵PID:1380
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"106⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock107⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"108⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock109⤵PID:3028
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"110⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock111⤵PID:2116
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"112⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock113⤵PID:2604
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"114⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock115⤵PID:1888
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"116⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock117⤵PID:1604
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"118⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock119⤵PID:1704
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"120⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock121⤵PID:1504
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"122⤵PID:2032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-