Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
-
Size
710KB
-
MD5
9a09071140d404e8fad58688d42d888a
-
SHA1
5db1e9d1c031a9c33d0e5d7d6037140cc6b9b71b
-
SHA256
019ba77eb3cfe5913c47625dcc9618b4c04f085fc1a0f9e2c68cdc5ef1a569f6
-
SHA512
7b2a92df4cb67bb17a82484f7fe267860cec886b8a2f7b70e55093a3460b8a9a2476413aca47aa2cd94738bebc967356ec67296187a7526f60ccb9a36403b31e
-
SSDEEP
12288:UOeIegN8HI9Omlo0YhCR/cZ1oVD8SwssbLVkZPBEU1soH1Oc15e+bXeHmA0cq:UrIn0I9OMZR/uqqZvSVBEK1T1UT0B
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (77) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation EswMooow.exe -
Executes dropped EXE 2 IoCs
pid Process 3400 EswMooow.exe 1800 SsAIQAoQ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SsAIQAoQ.exe = "C:\\ProgramData\\AKsogAcE\\SsAIQAoQ.exe" SsAIQAoQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EswMooow.exe = "C:\\Users\\Admin\\JwYAIAUI\\EswMooow.exe" 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SsAIQAoQ.exe = "C:\\ProgramData\\AKsogAcE\\SsAIQAoQ.exe" 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EswMooow.exe = "C:\\Users\\Admin\\JwYAIAUI\\EswMooow.exe" EswMooow.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe EswMooow.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 4016 reg.exe 2876 reg.exe 2328 reg.exe 4008 reg.exe 4500 reg.exe 4408 reg.exe 2684 reg.exe 3940 reg.exe 4732 reg.exe 628 reg.exe 1768 reg.exe 4472 reg.exe 2620 reg.exe 3056 reg.exe 2724 reg.exe 1688 reg.exe 3980 reg.exe 4916 reg.exe 3340 reg.exe 2644 reg.exe 4948 reg.exe 4664 reg.exe 4216 reg.exe 596 reg.exe 2292 reg.exe 812 reg.exe 3636 reg.exe 688 reg.exe 2932 reg.exe 3480 reg.exe 4500 reg.exe 4020 reg.exe 3456 reg.exe 320 reg.exe 3868 reg.exe 4912 reg.exe 2728 reg.exe 4008 reg.exe 2752 reg.exe 4408 reg.exe 248 reg.exe 1836 reg.exe 100 reg.exe 4084 reg.exe 4704 reg.exe 672 reg.exe 4576 reg.exe 596 reg.exe 4716 reg.exe 4848 reg.exe 32 reg.exe 4572 reg.exe 2080 reg.exe 100 reg.exe 4768 reg.exe 4348 reg.exe 4348 reg.exe 3500 reg.exe 3540 reg.exe 2548 reg.exe 3992 reg.exe 1004 reg.exe 4408 reg.exe 4720 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1988 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1988 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1988 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1988 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1332 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1332 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1332 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1332 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4244 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4244 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4244 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4244 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1780 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1780 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1780 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1780 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3260 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3260 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3260 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3260 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2744 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2744 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2744 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2744 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 1844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4956 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4956 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4956 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4956 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4280 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4280 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4280 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4280 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3592 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3592 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3592 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 3592 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2404 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2404 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2404 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 2404 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 844 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4304 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4304 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4304 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 4304 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3400 EswMooow.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe 3400 EswMooow.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4352 wrote to memory of 3400 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 88 PID 4352 wrote to memory of 3400 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 88 PID 4352 wrote to memory of 3400 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 88 PID 4352 wrote to memory of 1800 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 89 PID 4352 wrote to memory of 1800 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 89 PID 4352 wrote to memory of 1800 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 89 PID 4352 wrote to memory of 3760 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 90 PID 4352 wrote to memory of 3760 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 90 PID 4352 wrote to memory of 3760 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 90 PID 3760 wrote to memory of 4412 3760 cmd.exe 92 PID 3760 wrote to memory of 4412 3760 cmd.exe 92 PID 3760 wrote to memory of 4412 3760 cmd.exe 92 PID 4352 wrote to memory of 4084 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 93 PID 4352 wrote to memory of 4084 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 93 PID 4352 wrote to memory of 4084 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 93 PID 4352 wrote to memory of 4880 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 94 PID 4352 wrote to memory of 4880 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 94 PID 4352 wrote to memory of 4880 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 94 PID 4352 wrote to memory of 3988 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 95 PID 4352 wrote to memory of 3988 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 95 PID 4352 wrote to memory of 3988 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 95 PID 4352 wrote to memory of 2244 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 96 PID 4352 wrote to memory of 2244 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 96 PID 4352 wrote to memory of 2244 4352 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 96 PID 2244 wrote to memory of 972 2244 cmd.exe 101 PID 2244 wrote to memory of 972 2244 cmd.exe 101 PID 2244 wrote to memory of 972 2244 cmd.exe 101 PID 4412 wrote to memory of 1660 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 102 PID 4412 wrote to memory of 1660 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 102 PID 4412 wrote to memory of 1660 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 102 PID 1660 wrote to memory of 3756 1660 cmd.exe 104 PID 1660 wrote to memory of 3756 1660 cmd.exe 104 PID 1660 wrote to memory of 3756 1660 cmd.exe 104 PID 4412 wrote to memory of 2100 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 105 PID 4412 wrote to memory of 2100 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 105 PID 4412 wrote to memory of 2100 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 105 PID 4412 wrote to memory of 2968 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 106 PID 4412 wrote to memory of 2968 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 106 PID 4412 wrote to memory of 2968 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 106 PID 4412 wrote to memory of 1512 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 107 PID 4412 wrote to memory of 1512 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 107 PID 4412 wrote to memory of 1512 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 107 PID 4412 wrote to memory of 2972 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 108 PID 4412 wrote to memory of 2972 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 108 PID 4412 wrote to memory of 2972 4412 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 108 PID 2972 wrote to memory of 5040 2972 cmd.exe 113 PID 2972 wrote to memory of 5040 2972 cmd.exe 113 PID 2972 wrote to memory of 5040 2972 cmd.exe 113 PID 3756 wrote to memory of 4916 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 114 PID 3756 wrote to memory of 4916 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 114 PID 3756 wrote to memory of 4916 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 114 PID 4916 wrote to memory of 1988 4916 cmd.exe 116 PID 4916 wrote to memory of 1988 4916 cmd.exe 116 PID 4916 wrote to memory of 1988 4916 cmd.exe 116 PID 3756 wrote to memory of 1904 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 117 PID 3756 wrote to memory of 1904 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 117 PID 3756 wrote to memory of 1904 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 117 PID 3756 wrote to memory of 1676 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 118 PID 3756 wrote to memory of 1676 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 118 PID 3756 wrote to memory of 1676 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 118 PID 3756 wrote to memory of 3384 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 119 PID 3756 wrote to memory of 3384 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 119 PID 3756 wrote to memory of 3384 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 119 PID 3756 wrote to memory of 2944 3756 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\JwYAIAUI\EswMooow.exe"C:\Users\Admin\JwYAIAUI\EswMooow.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3400
-
-
C:\ProgramData\AKsogAcE\SsAIQAoQ.exe"C:\ProgramData\AKsogAcE\SsAIQAoQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"8⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"10⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"12⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"14⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"16⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"18⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"20⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"22⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"24⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"26⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"28⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"30⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"32⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock33⤵PID:3688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"34⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock35⤵PID:876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"36⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock37⤵PID:3680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"38⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock39⤵PID:548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"40⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock41⤵PID:1528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"42⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock43⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"44⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock45⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"46⤵PID:3868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV147⤵PID:3680
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock47⤵PID:3920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"48⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock49⤵PID:4860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"50⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock51⤵PID:4912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"52⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock53⤵PID:2976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"54⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock55⤵PID:2944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"56⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock57⤵PID:4412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"58⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock59⤵PID:3336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"60⤵PID:416
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock61⤵PID:1392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"62⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock63⤵PID:2976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"64⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock65⤵PID:1124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"66⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock67⤵PID:1756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"68⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock69⤵PID:4504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"70⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock71⤵PID:4992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"72⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock73⤵PID:2972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"74⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock75⤵PID:2516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"76⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock77⤵PID:324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"78⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock79⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"80⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock81⤵PID:552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"82⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock83⤵PID:3056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"84⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock85⤵PID:4440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"86⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock87⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"88⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock89⤵PID:1836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"90⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock91⤵PID:4584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"92⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock93⤵PID:2340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"94⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock95⤵PID:2792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"96⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock97⤵PID:756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"98⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock99⤵PID:1528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"100⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock101⤵PID:416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"102⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock103⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"104⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock105⤵PID:2216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"106⤵PID:268
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock107⤵PID:2844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"108⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock109⤵PID:1684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"110⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock111⤵PID:2244
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"112⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock113⤵PID:4720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"114⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock115⤵PID:2280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"116⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock117⤵PID:1592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"118⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock119⤵PID:2156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"120⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock121⤵PID:2836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"122⤵PID:3340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-