Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 19:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
-
Size
189KB
-
MD5
29df57be6e75f670b1d223ce4733a587
-
SHA1
923c4577613d4c3eb816400141d73d486a7da36c
-
SHA256
fa3fa87588ae7afe00e7b465e7208973c217aaf395288bbce0ff2d4ecb0fd597
-
SHA512
07467b478ae80d2b8e910fd2461461b619ef5a462ff8594a0d7bf0711fc4b07c3d3546d77093c872628ff9b556d39eae42e4817c6d3a124b2c0115bb7f0348ee
-
SSDEEP
3072:3cuMtawMlIJNVwLrd+yNoyykZG3oZ6oUkpLOqpvszcqOSXBxfdik8SWoHT4Vs:3chta3ECLrNyt3oslx4SXHMk82Ys
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FYkUwsUY.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation FYkUwsUY.exe -
Executes dropped EXE 2 IoCs
Processes:
FYkUwsUY.exeVEYMgEEA.exepid process 2864 FYkUwsUY.exe 2476 VEYMgEEA.exe -
Loads dropped DLL 20 IoCs
Processes:
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeFYkUwsUY.exepid process 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeFYkUwsUY.exeVEYMgEEA.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYkUwsUY.exe = "C:\\Users\\Admin\\KwUwsQMQ\\FYkUwsUY.exe" 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VEYMgEEA.exe = "C:\\ProgramData\\PaIYsAcY\\VEYMgEEA.exe" 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYkUwsUY.exe = "C:\\Users\\Admin\\KwUwsQMQ\\FYkUwsUY.exe" FYkUwsUY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VEYMgEEA.exe = "C:\\ProgramData\\PaIYsAcY\\VEYMgEEA.exe" VEYMgEEA.exe -
Drops file in Windows directory 1 IoCs
Processes:
FYkUwsUY.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico FYkUwsUY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1080 reg.exe 2068 reg.exe 1772 reg.exe 1400 reg.exe 1704 reg.exe 2660 reg.exe 2720 reg.exe 1184 reg.exe 2532 reg.exe 2700 reg.exe 776 reg.exe 1872 reg.exe 1956 reg.exe 468 reg.exe 2500 reg.exe 2496 reg.exe 552 reg.exe 2200 reg.exe 2528 reg.exe 1308 reg.exe 2468 reg.exe 2608 reg.exe 1944 reg.exe 2000 reg.exe 1772 reg.exe 2616 reg.exe 636 reg.exe 2984 reg.exe 2140 reg.exe 2000 reg.exe 2208 reg.exe 2868 reg.exe 2780 reg.exe 1196 reg.exe 596 reg.exe 892 reg.exe 2124 reg.exe 2272 reg.exe 2848 reg.exe 2160 reg.exe 2640 reg.exe 2712 reg.exe 1296 reg.exe 1272 reg.exe 2976 reg.exe 2728 reg.exe 1536 reg.exe 1744 reg.exe 1680 reg.exe 2724 reg.exe 2644 reg.exe 1656 reg.exe 2828 reg.exe 1888 reg.exe 1208 reg.exe 1680 reg.exe 844 reg.exe 752 reg.exe 2948 reg.exe 1880 reg.exe 2596 reg.exe 1664 reg.exe 2932 reg.exe 2260 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exepid process 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2288 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2288 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2384 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2384 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2820 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2820 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1336 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1336 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3064 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3064 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2548 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2548 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2928 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2928 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2936 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2936 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3036 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3036 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1652 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1652 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2988 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2988 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2364 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2364 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2800 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2800 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2668 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2668 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1296 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1296 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2352 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2352 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2956 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2956 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2540 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2540 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2364 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2364 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1084 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1084 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1436 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1436 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1856 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1856 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1652 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1652 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2516 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2516 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2776 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2776 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1944 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1944 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1360 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1360 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1840 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1840 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2940 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2940 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 340 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 340 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
FYkUwsUY.exepid process 2864 FYkUwsUY.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
FYkUwsUY.exepid process 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe 2864 FYkUwsUY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.execmd.execmd.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.execmd.execmd.exedescription pid process target process PID 2316 wrote to memory of 2864 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe FYkUwsUY.exe PID 2316 wrote to memory of 2864 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe FYkUwsUY.exe PID 2316 wrote to memory of 2864 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe FYkUwsUY.exe PID 2316 wrote to memory of 2864 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe FYkUwsUY.exe PID 2316 wrote to memory of 2476 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe VEYMgEEA.exe PID 2316 wrote to memory of 2476 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe VEYMgEEA.exe PID 2316 wrote to memory of 2476 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe VEYMgEEA.exe PID 2316 wrote to memory of 2476 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe VEYMgEEA.exe PID 2316 wrote to memory of 2540 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2316 wrote to memory of 2540 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2316 wrote to memory of 2540 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2316 wrote to memory of 2540 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2540 wrote to memory of 2816 2540 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2540 wrote to memory of 2816 2540 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2540 wrote to memory of 2816 2540 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2540 wrote to memory of 2816 2540 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2316 wrote to memory of 2688 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2688 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2688 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2688 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2544 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2544 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2544 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2544 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2528 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2528 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2528 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2528 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2316 wrote to memory of 2432 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2316 wrote to memory of 2432 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2316 wrote to memory of 2432 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2316 wrote to memory of 2432 2316 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2432 wrote to memory of 2452 2432 cmd.exe cscript.exe PID 2432 wrote to memory of 2452 2432 cmd.exe cscript.exe PID 2432 wrote to memory of 2452 2432 cmd.exe cscript.exe PID 2432 wrote to memory of 2452 2432 cmd.exe cscript.exe PID 2816 wrote to memory of 2200 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2816 wrote to memory of 2200 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2816 wrote to memory of 2200 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2816 wrote to memory of 2200 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2200 wrote to memory of 2288 2200 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2200 wrote to memory of 2288 2200 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2200 wrote to memory of 2288 2200 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2200 wrote to memory of 2288 2200 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2816 wrote to memory of 2744 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2744 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2744 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2744 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2660 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2660 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2660 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2660 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2776 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2776 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2776 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 2776 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2816 wrote to memory of 1216 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2816 wrote to memory of 1216 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2816 wrote to memory of 1216 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2816 wrote to memory of 1216 2816 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 1216 wrote to memory of 2132 1216 cmd.exe cscript.exe PID 1216 wrote to memory of 2132 1216 cmd.exe cscript.exe PID 1216 wrote to memory of 2132 1216 cmd.exe cscript.exe PID 1216 wrote to memory of 2132 1216 cmd.exe cscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe"C:\Users\Admin\KwUwsQMQ\FYkUwsUY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2864
-
-
C:\ProgramData\PaIYsAcY\VEYMgEEA.exe"C:\ProgramData\PaIYsAcY\VEYMgEEA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2476
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"6⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"8⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"10⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"12⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3064 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"14⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"16⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"18⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"20⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"22⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"24⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2988 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"26⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"28⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"30⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"32⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1296 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"34⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"36⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"38⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"40⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"42⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"44⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"46⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"48⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"50⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2516 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"52⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"54⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"56⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1360 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"58⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"60⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"62⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:340 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"64⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock65⤵PID:2408
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"66⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock67⤵PID:1644
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"68⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock69⤵PID:1472
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"70⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock71⤵PID:1940
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"72⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock73⤵PID:1100
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"74⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock75⤵PID:1720
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"76⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock77⤵PID:2480
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"78⤵PID:596
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock79⤵PID:2804
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"80⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock81⤵PID:2924
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"82⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock83⤵PID:2812
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"84⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock85⤵PID:764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"86⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock87⤵PID:2488
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"88⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock89⤵PID:2956
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"90⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock91⤵PID:2056
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"92⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock93⤵PID:2872
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"94⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock95⤵PID:2616
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"96⤵PID:344
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock97⤵PID:2796
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"98⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock99⤵PID:1680
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"100⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock101⤵PID:2792
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"102⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock103⤵PID:1588
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"104⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock105⤵PID:2040
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"106⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock107⤵PID:2544
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"108⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock109⤵PID:3068
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"110⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock111⤵PID:2500
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"112⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock113⤵PID:572
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"114⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock115⤵PID:900
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"116⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock117⤵PID:2556
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"118⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock119⤵PID:2352
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"120⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock121⤵PID:2764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"122⤵PID:1524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-