Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 18:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
-
Size
710KB
-
MD5
9a09071140d404e8fad58688d42d888a
-
SHA1
5db1e9d1c031a9c33d0e5d7d6037140cc6b9b71b
-
SHA256
019ba77eb3cfe5913c47625dcc9618b4c04f085fc1a0f9e2c68cdc5ef1a569f6
-
SHA512
7b2a92df4cb67bb17a82484f7fe267860cec886b8a2f7b70e55093a3460b8a9a2476413aca47aa2cd94738bebc967356ec67296187a7526f60ccb9a36403b31e
-
SSDEEP
12288:UOeIegN8HI9Omlo0YhCR/cZ1oVD8SwssbLVkZPBEU1soH1Oc15e+bXeHmA0cq:UrIn0I9OMZR/uqqZvSVBEK1T1UT0B
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation wOgUUkoY.exe -
Executes dropped EXE 2 IoCs
pid Process 1812 wOgUUkoY.exe 2908 jEgwUQkA.exe -
Loads dropped DLL 21 IoCs
pid Process 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 2636 WerFault.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\suYIIMok.exe = "C:\\ProgramData\\dKsEgkks\\suYIIMok.exe" 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOgUUkoY.exe = "C:\\Users\\Admin\\RwYoUMIo\\wOgUUkoY.exe" 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jEgwUQkA.exe = "C:\\ProgramData\\raYskYow\\jEgwUQkA.exe" 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOgUUkoY.exe = "C:\\Users\\Admin\\RwYoUMIo\\wOgUUkoY.exe" wOgUUkoY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jEgwUQkA.exe = "C:\\ProgramData\\raYskYow\\jEgwUQkA.exe" jEgwUQkA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\QmYkMAUk.exe = "C:\\Users\\Admin\\wwkAEgoU\\QmYkMAUk.exe" 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico wOgUUkoY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2880 2584 WerFault.exe 246 2636 2572 WerFault.exe 247 -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1676 reg.exe 944 reg.exe 2844 reg.exe 2504 reg.exe 2024 reg.exe 1444 reg.exe 2008 reg.exe 412 reg.exe 2900 reg.exe 2652 reg.exe 1616 reg.exe 2828 reg.exe 2344 reg.exe 2560 reg.exe 956 reg.exe 2524 reg.exe 1848 reg.exe 2688 reg.exe 2936 reg.exe 1604 reg.exe 1108 reg.exe 2808 reg.exe 2332 reg.exe 1712 reg.exe 2516 reg.exe 1640 reg.exe 2396 reg.exe 2632 reg.exe 2064 reg.exe 2536 reg.exe 2132 reg.exe 1752 reg.exe 2696 reg.exe 2096 reg.exe 2592 reg.exe 2096 reg.exe 2680 reg.exe 452 reg.exe 2600 reg.exe 592 reg.exe 2904 reg.exe 1624 reg.exe 1404 reg.exe 1660 reg.exe 2172 reg.exe 560 reg.exe 1768 reg.exe 1612 reg.exe 580 reg.exe 112 reg.exe 1660 reg.exe 2332 reg.exe 356 reg.exe 1108 reg.exe 1080 reg.exe 3060 reg.exe 2588 reg.exe 2544 reg.exe 1804 reg.exe 2592 reg.exe 1112 reg.exe 1556 reg.exe 696 reg.exe 2020 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 892 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 892 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1420 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1420 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1804 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1804 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1528 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1528 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 880 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 880 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2712 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2712 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1972 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1972 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1520 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1520 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1600 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1600 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1532 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1532 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2916 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2916 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1508 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1508 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2476 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2476 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2052 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2052 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 540 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 540 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 900 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 900 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2000 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2000 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2012 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2012 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3008 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3008 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1164 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1164 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1816 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1816 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1692 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1692 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1068 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1068 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2180 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2180 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 328 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 328 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 940 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 940 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2180 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2180 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1536 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1536 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1812 wOgUUkoY.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe 1812 wOgUUkoY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1812 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 28 PID 2168 wrote to memory of 1812 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 28 PID 2168 wrote to memory of 1812 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 28 PID 2168 wrote to memory of 1812 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 28 PID 2168 wrote to memory of 2908 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 29 PID 2168 wrote to memory of 2908 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 29 PID 2168 wrote to memory of 2908 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 29 PID 2168 wrote to memory of 2908 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 29 PID 2168 wrote to memory of 2564 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 30 PID 2168 wrote to memory of 2564 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 30 PID 2168 wrote to memory of 2564 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 30 PID 2168 wrote to memory of 2564 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 30 PID 2564 wrote to memory of 2676 2564 cmd.exe 33 PID 2564 wrote to memory of 2676 2564 cmd.exe 33 PID 2564 wrote to memory of 2676 2564 cmd.exe 33 PID 2564 wrote to memory of 2676 2564 cmd.exe 33 PID 2168 wrote to memory of 2692 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 32 PID 2168 wrote to memory of 2692 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 32 PID 2168 wrote to memory of 2692 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 32 PID 2168 wrote to memory of 2692 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 32 PID 2168 wrote to memory of 2600 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 34 PID 2168 wrote to memory of 2600 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 34 PID 2168 wrote to memory of 2600 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 34 PID 2168 wrote to memory of 2600 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 34 PID 2168 wrote to memory of 2588 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 37 PID 2168 wrote to memory of 2588 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 37 PID 2168 wrote to memory of 2588 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 37 PID 2168 wrote to memory of 2588 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 37 PID 2168 wrote to memory of 2756 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 39 PID 2168 wrote to memory of 2756 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 39 PID 2168 wrote to memory of 2756 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 39 PID 2168 wrote to memory of 2756 2168 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 39 PID 2756 wrote to memory of 1436 2756 cmd.exe 41 PID 2756 wrote to memory of 1436 2756 cmd.exe 41 PID 2756 wrote to memory of 1436 2756 cmd.exe 41 PID 2756 wrote to memory of 1436 2756 cmd.exe 41 PID 2676 wrote to memory of 2960 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 42 PID 2676 wrote to memory of 2960 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 42 PID 2676 wrote to memory of 2960 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 42 PID 2676 wrote to memory of 2960 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 42 PID 2960 wrote to memory of 892 2960 cmd.exe 44 PID 2960 wrote to memory of 892 2960 cmd.exe 44 PID 2960 wrote to memory of 892 2960 cmd.exe 44 PID 2960 wrote to memory of 892 2960 cmd.exe 44 PID 2676 wrote to memory of 2904 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 45 PID 2676 wrote to memory of 2904 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 45 PID 2676 wrote to memory of 2904 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 45 PID 2676 wrote to memory of 2904 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 45 PID 2676 wrote to memory of 1660 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 46 PID 2676 wrote to memory of 1660 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 46 PID 2676 wrote to memory of 1660 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 46 PID 2676 wrote to memory of 1660 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 46 PID 2676 wrote to memory of 2020 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 48 PID 2676 wrote to memory of 2020 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 48 PID 2676 wrote to memory of 2020 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 48 PID 2676 wrote to memory of 2020 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 48 PID 2676 wrote to memory of 2052 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 51 PID 2676 wrote to memory of 2052 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 51 PID 2676 wrote to memory of 2052 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 51 PID 2676 wrote to memory of 2052 2676 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 51 PID 2052 wrote to memory of 952 2052 cmd.exe 53 PID 2052 wrote to memory of 952 2052 cmd.exe 53 PID 2052 wrote to memory of 952 2052 cmd.exe 53 PID 2052 wrote to memory of 952 2052 cmd.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe"C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1812
-
-
C:\ProgramData\raYskYow\jEgwUQkA.exe"C:\ProgramData\raYskYow\jEgwUQkA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2908
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:892 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"6⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"8⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"10⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"12⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:880 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"14⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"16⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"18⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"20⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"22⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"24⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"26⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"28⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"30⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"32⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:540 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"34⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:900 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"36⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock37⤵
- Adds Run key to start application
PID:1840 -
C:\Users\Admin\wwkAEgoU\QmYkMAUk.exe"C:\Users\Admin\wwkAEgoU\QmYkMAUk.exe"38⤵PID:2584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 3639⤵
- Program crash
PID:2880
-
-
-
C:\ProgramData\dKsEgkks\suYIIMok.exe"C:\ProgramData\dKsEgkks\suYIIMok.exe"38⤵PID:2572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 3639⤵
- Loads dropped DLL
- Program crash
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"38⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"40⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"42⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"44⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"46⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"48⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"50⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"52⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:412 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"54⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"56⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:328 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"58⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"60⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:940 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"62⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"64⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock65⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"66⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock67⤵PID:1380
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"68⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock69⤵PID:2424
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"70⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock71⤵PID:1532
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"72⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock73⤵PID:2904
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"74⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock75⤵PID:1656
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"76⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock77⤵PID:1280
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"78⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock79⤵PID:2620
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"80⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock81⤵PID:1088
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"82⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock83⤵PID:1648
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"84⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock85⤵PID:1152
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"86⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock87⤵PID:1692
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"88⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock89⤵PID:2056
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"90⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock91⤵PID:780
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"92⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock93⤵PID:1404
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"94⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock95⤵PID:2532
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"96⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock97⤵PID:2248
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"98⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock99⤵PID:1664
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"100⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock101⤵PID:632
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"102⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock103⤵PID:3032
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"104⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock105⤵PID:2388
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"106⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock107⤵PID:1600
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"108⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock109⤵PID:2592
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"110⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock111⤵PID:2780
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"112⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock113⤵PID:2828
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"114⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock115⤵PID:1820
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"116⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock117⤵PID:2912
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"118⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock119⤵PID:2016
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"120⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock121⤵PID:2564
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"122⤵PID:1284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-