Analysis
-
max time kernel
150s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 17:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
-
Size
373KB
-
MD5
1d9405d141447fab969a9e235496a0c1
-
SHA1
da31ee67c74e60f6bc0214fdfdd33514f64910e4
-
SHA256
1b5a8e869b055d982bd716b578823324045e387f6fc1dd08bfa3af41d521810f
-
SHA512
d5f75a492a20ec8eef14b290417af91f423aec3135d6622c3ff1cad2f1e0f84823df5342766981b8096bc52154eaf1ec08ff3c3254887f1126cfcaa301ad1f3c
-
SSDEEP
6144:NLn+1TNnHRnF6qnaGv1DLO0ju+4/isew5pkgUb0chOywMPODRXpcRQ3qn7NzBJr4:NLn+1NHRnF6S/x6pnkP0HMPfaaB7tuYI
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tykkYIwY.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation tykkYIwY.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1892 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
tykkYIwY.exeKmggEwYg.exepid Process 2964 tykkYIwY.exe 2804 KmggEwYg.exe -
Loads dropped DLL 20 IoCs
Processes:
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exetykkYIwY.exepid Process 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exetykkYIwY.exeKmggEwYg.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KmggEwYg.exe = "C:\\ProgramData\\UYQUYsII\\KmggEwYg.exe" 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tykkYIwY.exe = "C:\\Users\\Admin\\fSQQcIMQ\\tykkYIwY.exe" tykkYIwY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KmggEwYg.exe = "C:\\ProgramData\\UYQUYsII\\KmggEwYg.exe" KmggEwYg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tykkYIwY.exe = "C:\\Users\\Admin\\fSQQcIMQ\\tykkYIwY.exe" 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe -
Drops file in Windows directory 1 IoCs
Processes:
tykkYIwY.exedescription ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico tykkYIwY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.exereg.exereg.exereg.exereg.execscript.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execscript.execscript.exereg.execmd.execscript.execmd.execscript.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.execmd.execscript.execscript.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exereg.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execscript.execscript.exereg.execmd.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.exereg.exereg.exereg.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exereg.exereg.exereg.execmd.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.execmd.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.exereg.execmd.exereg.exereg.execscript.exereg.execscript.exereg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid Process 2668 reg.exe 1524 reg.exe 672 reg.exe 1040 reg.exe 672 reg.exe 1592 reg.exe 1728 reg.exe 1500 reg.exe 2780 reg.exe 3016 reg.exe 2952 reg.exe 2028 reg.exe 2680 reg.exe 1928 reg.exe 2372 reg.exe 2188 reg.exe 1748 reg.exe 2272 reg.exe 2416 reg.exe 2704 reg.exe 2116 reg.exe 3020 reg.exe 2172 reg.exe 608 reg.exe 2428 reg.exe 2284 reg.exe 1512 reg.exe 1532 reg.exe 584 reg.exe 2960 reg.exe 1740 reg.exe 2944 reg.exe 2500 reg.exe 616 reg.exe 2028 reg.exe 2532 reg.exe 2300 reg.exe 2984 reg.exe 2616 reg.exe 988 reg.exe 1692 reg.exe 592 reg.exe 2384 reg.exe 2932 reg.exe 2676 reg.exe 1908 reg.exe 2388 reg.exe 2344 reg.exe 756 reg.exe 2720 reg.exe 1104 reg.exe 2660 reg.exe 2752 reg.exe 2516 reg.exe 3020 reg.exe 608 reg.exe 2084 reg.exe 1632 reg.exe 940 reg.exe 2284 reg.exe 2592 reg.exe 588 reg.exe 2780 reg.exe 2940 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exepid Process 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1788 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1788 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2404 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2404 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2340 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2340 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2660 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2660 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1724 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1724 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2960 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2960 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2276 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2276 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1020 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1020 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 756 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 756 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1908 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1908 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2052 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2052 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1724 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1724 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2268 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2268 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 616 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 616 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 768 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 768 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2644 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2644 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2904 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2904 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2248 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2248 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2164 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2164 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2664 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2664 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2720 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2720 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2972 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2972 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3016 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3016 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2328 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2328 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1640 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1640 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2372 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2372 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 800 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 800 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2132 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2132 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2956 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2956 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1888 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1888 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
tykkYIwY.exepid Process 2964 tykkYIwY.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
tykkYIwY.exepid Process 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe 2964 tykkYIwY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.execmd.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.execmd.exedescription pid Process procid_target PID 2744 wrote to memory of 2964 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 30 PID 2744 wrote to memory of 2964 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 30 PID 2744 wrote to memory of 2964 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 30 PID 2744 wrote to memory of 2964 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 30 PID 2744 wrote to memory of 2804 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 31 PID 2744 wrote to memory of 2804 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 31 PID 2744 wrote to memory of 2804 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 31 PID 2744 wrote to memory of 2804 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 31 PID 2744 wrote to memory of 2788 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 32 PID 2744 wrote to memory of 2788 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 32 PID 2744 wrote to memory of 2788 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 32 PID 2744 wrote to memory of 2788 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 32 PID 2788 wrote to memory of 2872 2788 cmd.exe 34 PID 2788 wrote to memory of 2872 2788 cmd.exe 34 PID 2788 wrote to memory of 2872 2788 cmd.exe 34 PID 2788 wrote to memory of 2872 2788 cmd.exe 34 PID 2744 wrote to memory of 2184 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 35 PID 2744 wrote to memory of 2184 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 35 PID 2744 wrote to memory of 2184 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 35 PID 2744 wrote to memory of 2184 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 35 PID 2744 wrote to memory of 2876 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 36 PID 2744 wrote to memory of 2876 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 36 PID 2744 wrote to memory of 2876 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 36 PID 2744 wrote to memory of 2876 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 36 PID 2744 wrote to memory of 2780 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 37 PID 2744 wrote to memory of 2780 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 37 PID 2744 wrote to memory of 2780 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 37 PID 2744 wrote to memory of 2780 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 37 PID 2744 wrote to memory of 1952 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 38 PID 2744 wrote to memory of 1952 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 38 PID 2744 wrote to memory of 1952 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 38 PID 2744 wrote to memory of 1952 2744 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 38 PID 1952 wrote to memory of 840 1952 cmd.exe 43 PID 1952 wrote to memory of 840 1952 cmd.exe 43 PID 1952 wrote to memory of 840 1952 cmd.exe 43 PID 1952 wrote to memory of 840 1952 cmd.exe 43 PID 2872 wrote to memory of 552 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 44 PID 2872 wrote to memory of 552 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 44 PID 2872 wrote to memory of 552 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 44 PID 2872 wrote to memory of 552 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 44 PID 552 wrote to memory of 1788 552 cmd.exe 46 PID 552 wrote to memory of 1788 552 cmd.exe 46 PID 552 wrote to memory of 1788 552 cmd.exe 46 PID 552 wrote to memory of 1788 552 cmd.exe 46 PID 2872 wrote to memory of 2272 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 47 PID 2872 wrote to memory of 2272 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 47 PID 2872 wrote to memory of 2272 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 47 PID 2872 wrote to memory of 2272 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 47 PID 2872 wrote to memory of 2116 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 48 PID 2872 wrote to memory of 2116 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 48 PID 2872 wrote to memory of 2116 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 48 PID 2872 wrote to memory of 2116 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 48 PID 2872 wrote to memory of 2500 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 50 PID 2872 wrote to memory of 2500 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 50 PID 2872 wrote to memory of 2500 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 50 PID 2872 wrote to memory of 2500 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 50 PID 2872 wrote to memory of 1204 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 51 PID 2872 wrote to memory of 1204 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 51 PID 2872 wrote to memory of 1204 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 51 PID 2872 wrote to memory of 1204 2872 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 51 PID 1204 wrote to memory of 2984 1204 cmd.exe 55 PID 1204 wrote to memory of 2984 1204 cmd.exe 55 PID 1204 wrote to memory of 2984 1204 cmd.exe 55 PID 1204 wrote to memory of 2984 1204 cmd.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe"C:\Users\Admin\fSQQcIMQ\tykkYIwY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2964
-
-
C:\ProgramData\UYQUYsII\KmggEwYg.exe"C:\ProgramData\UYQUYsII\KmggEwYg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2804
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"6⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"8⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"10⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"12⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1724 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"14⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"16⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"18⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"20⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock21⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:756 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"22⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"24⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"26⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock27⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1724 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"28⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2268 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"30⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:616 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"32⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:768 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"34⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"36⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"38⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"40⤵
- System Location Discovery: System Language Discovery
PID:568 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"42⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"44⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"46⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"48⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"50⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"52⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1640 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"54⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"56⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:800 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"58⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"60⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock61⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2956 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"62⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"64⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock65⤵PID:840
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"66⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock67⤵PID:1856
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"68⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock69⤵PID:1924
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"70⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock71⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"72⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock73⤵PID:2916
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"74⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock75⤵PID:1648
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"76⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock77⤵PID:1896
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"78⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock79⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"80⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock81⤵PID:2864
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"82⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock83⤵PID:2400
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"84⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock85⤵PID:672
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"86⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock87⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"88⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock89⤵PID:2616
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"90⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock91⤵PID:840
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"92⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock93⤵PID:3040
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"94⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock95⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"96⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock97⤵PID:2760
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"98⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock99⤵
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"100⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock101⤵PID:1888
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"102⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock103⤵PID:1948
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"104⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock105⤵PID:2948
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"106⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock107⤵PID:2352
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"108⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock109⤵PID:1416
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"110⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock111⤵PID:684
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"112⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock113⤵PID:1664
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"114⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock115⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"116⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock117⤵PID:2168
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"118⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock119⤵PID:2920
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"120⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock121⤵PID:2008
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"122⤵PID:884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-