Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe
-
Size
710KB
-
MD5
d34cdff3b0e698bb896329c25e0cf5b3
-
SHA1
c5347180f1d3207d8d48f480dd7539ae347a7cdf
-
SHA256
a1fe19a6f8e7118773f8ed982e88ded4bb2e161503ad41428e7c99245d79ae35
-
SHA512
65f8d46ade43c55e484ac05333fde2f817c4ecbf658e0690c88731a98e62940470dd7e18a434e860bc31232c6aa388ee2aa4262302ff2d076ad9fd97a73fc79a
-
SSDEEP
12288:M+/pTJKEfDggggggg2ONjNRtoUepm93UOsLma7boUIeAnY87fUWHy:txkiDgggggggR5NWQ9kJ6a7bonz7fA
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation XswooYMg.exe -
Executes dropped EXE 2 IoCs
pid Process 4252 nKcMMUos.exe 4144 XswooYMg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nKcMMUos.exe = "C:\\Users\\Admin\\zmQYEgwg\\nKcMMUos.exe" 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XswooYMg.exe = "C:\\ProgramData\\TCMkYUEg\\XswooYMg.exe" 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XswooYMg.exe = "C:\\ProgramData\\TCMkYUEg\\XswooYMg.exe" XswooYMg.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nKcMMUos.exe = "C:\\Users\\Admin\\zmQYEgwg\\nKcMMUos.exe" nKcMMUos.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe XswooYMg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 1448 reg.exe 448 reg.exe 4520 reg.exe 3260 reg.exe 2904 reg.exe 3780 reg.exe 3248 reg.exe 984 reg.exe 4836 reg.exe 4384 reg.exe 3976 reg.exe 2384 reg.exe 4124 reg.exe 516 reg.exe 3944 reg.exe 2388 reg.exe 392 reg.exe 4792 reg.exe 2424 reg.exe 700 reg.exe 2056 reg.exe 764 reg.exe 4792 reg.exe 1544 reg.exe 1188 reg.exe 2384 reg.exe 392 reg.exe 516 reg.exe 4700 reg.exe 4092 reg.exe 4076 reg.exe 1688 reg.exe 2128 reg.exe 3200 reg.exe 4792 reg.exe 1280 reg.exe 1624 reg.exe 1520 reg.exe 4040 reg.exe 392 reg.exe 2592 reg.exe 4948 reg.exe 1648 reg.exe 3536 reg.exe 2324 reg.exe 620 reg.exe 552 reg.exe 3024 reg.exe 4508 reg.exe 1068 reg.exe 5100 reg.exe 2704 reg.exe 1704 reg.exe 4356 reg.exe 3388 reg.exe 1204 reg.exe 448 reg.exe 4568 reg.exe 4084 reg.exe 4008 reg.exe 4360 reg.exe 1912 reg.exe 2236 reg.exe 640 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 2280 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 2280 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 2280 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 2280 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3028 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3028 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3028 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3028 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 1304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 1304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 1304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 1304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 888 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 888 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 888 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 888 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 5080 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 5080 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 5080 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 5080 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3656 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3656 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3656 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3656 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 432 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 432 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 432 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 432 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4376 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4376 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4376 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4376 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3464 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3464 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3464 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 3464 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 620 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 620 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 620 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 620 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4724 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4724 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4724 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4724 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 1448 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 1448 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 1448 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 1448 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4124 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4124 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4124 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 4124 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4144 XswooYMg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe 4144 XswooYMg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4924 wrote to memory of 4252 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 86 PID 4924 wrote to memory of 4252 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 86 PID 4924 wrote to memory of 4252 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 86 PID 4924 wrote to memory of 4144 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 87 PID 4924 wrote to memory of 4144 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 87 PID 4924 wrote to memory of 4144 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 87 PID 4924 wrote to memory of 2944 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 88 PID 4924 wrote to memory of 2944 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 88 PID 4924 wrote to memory of 2944 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 88 PID 4924 wrote to memory of 2128 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 90 PID 4924 wrote to memory of 2128 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 90 PID 4924 wrote to memory of 2128 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 90 PID 4924 wrote to memory of 1324 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 91 PID 4924 wrote to memory of 1324 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 91 PID 4924 wrote to memory of 1324 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 91 PID 4924 wrote to memory of 5100 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 92 PID 4924 wrote to memory of 5100 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 92 PID 4924 wrote to memory of 5100 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 92 PID 4924 wrote to memory of 2384 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 93 PID 4924 wrote to memory of 2384 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 93 PID 4924 wrote to memory of 2384 4924 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 93 PID 2944 wrote to memory of 3020 2944 cmd.exe 94 PID 2944 wrote to memory of 3020 2944 cmd.exe 94 PID 2944 wrote to memory of 3020 2944 cmd.exe 94 PID 2384 wrote to memory of 4932 2384 cmd.exe 99 PID 2384 wrote to memory of 4932 2384 cmd.exe 99 PID 2384 wrote to memory of 4932 2384 cmd.exe 99 PID 3020 wrote to memory of 4336 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 101 PID 3020 wrote to memory of 4336 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 101 PID 3020 wrote to memory of 4336 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 101 PID 4336 wrote to memory of 2304 4336 cmd.exe 103 PID 4336 wrote to memory of 2304 4336 cmd.exe 103 PID 4336 wrote to memory of 2304 4336 cmd.exe 103 PID 3020 wrote to memory of 2068 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 104 PID 3020 wrote to memory of 2068 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 104 PID 3020 wrote to memory of 2068 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 104 PID 3020 wrote to memory of 5080 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 105 PID 3020 wrote to memory of 5080 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 105 PID 3020 wrote to memory of 5080 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 105 PID 3020 wrote to memory of 4772 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 106 PID 3020 wrote to memory of 4772 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 106 PID 3020 wrote to memory of 4772 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 106 PID 3020 wrote to memory of 5028 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 108 PID 3020 wrote to memory of 5028 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 108 PID 3020 wrote to memory of 5028 3020 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 108 PID 5028 wrote to memory of 752 5028 cmd.exe 112 PID 5028 wrote to memory of 752 5028 cmd.exe 112 PID 5028 wrote to memory of 752 5028 cmd.exe 112 PID 2304 wrote to memory of 4840 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 113 PID 2304 wrote to memory of 4840 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 113 PID 2304 wrote to memory of 4840 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 113 PID 2304 wrote to memory of 1136 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 115 PID 2304 wrote to memory of 1136 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 115 PID 2304 wrote to memory of 1136 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 115 PID 2304 wrote to memory of 3404 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 116 PID 2304 wrote to memory of 3404 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 116 PID 2304 wrote to memory of 3404 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 116 PID 2304 wrote to memory of 3604 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 117 PID 2304 wrote to memory of 3604 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 117 PID 2304 wrote to memory of 3604 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 117 PID 2304 wrote to memory of 4212 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 118 PID 2304 wrote to memory of 4212 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 118 PID 2304 wrote to memory of 4212 2304 2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe 118 PID 4840 wrote to memory of 2280 4840 cmd.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\zmQYEgwg\nKcMMUos.exe"C:\Users\Admin\zmQYEgwg\nKcMMUos.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4252
-
-
C:\ProgramData\TCMkYUEg\XswooYMg.exe"C:\ProgramData\TCMkYUEg\XswooYMg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"8⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"10⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"12⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"14⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"16⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"18⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"20⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"22⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"24⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"26⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"28⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"30⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"32⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock33⤵PID:2904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"34⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock35⤵PID:4092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"36⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock37⤵PID:4048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"38⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock39⤵PID:1672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"40⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock41⤵PID:2648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"42⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock43⤵PID:4848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"44⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock45⤵PID:3972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"46⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock47⤵PID:4380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"48⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock49⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"50⤵PID:376
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock51⤵PID:552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"52⤵PID:1044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock53⤵PID:4356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"54⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock55⤵PID:536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"56⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock57⤵PID:1588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"58⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock59⤵PID:4384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"60⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock61⤵PID:4224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"62⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock63⤵PID:468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"64⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock65⤵PID:4812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"66⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock67⤵PID:2316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"68⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock69⤵PID:1704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"70⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock71⤵PID:4512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"72⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock73⤵PID:1884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"74⤵PID:4544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:392
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock75⤵PID:1748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"76⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock77⤵PID:5080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"78⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock79⤵PID:4876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"80⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock81⤵PID:4512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"82⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock83⤵PID:4932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"84⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock85⤵PID:1748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"86⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock87⤵PID:4224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"88⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock89⤵PID:3720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"90⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock91⤵PID:1588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"92⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock93⤵PID:3372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"94⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock95⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"96⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock97⤵PID:3428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"98⤵PID:3080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:3720
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock99⤵PID:1636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"100⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock101⤵PID:1052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"102⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock103⤵PID:1840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"104⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock105⤵PID:1080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"106⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock107⤵PID:4484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"108⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock109⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"110⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock111⤵PID:468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"112⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock113⤵PID:2028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"114⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock115⤵PID:3944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"116⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock117⤵PID:3204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"118⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock119⤵PID:4712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"120⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock121⤵PID:3864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d34cdff3b0e698bb896329c25e0cf5b3_virlock"122⤵PID:2580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-