Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
-
Size
189KB
-
MD5
29df57be6e75f670b1d223ce4733a587
-
SHA1
923c4577613d4c3eb816400141d73d486a7da36c
-
SHA256
fa3fa87588ae7afe00e7b465e7208973c217aaf395288bbce0ff2d4ecb0fd597
-
SHA512
07467b478ae80d2b8e910fd2461461b619ef5a462ff8594a0d7bf0711fc4b07c3d3546d77093c872628ff9b556d39eae42e4817c6d3a124b2c0115bb7f0348ee
-
SSDEEP
3072:3cuMtawMlIJNVwLrd+yNoyykZG3oZ6oUkpLOqpvszcqOSXBxfdik8SWoHT4Vs:3chta3ECLrNyt3oslx4SXHMk82Ys
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wOMQUkcA.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation wOMQUkcA.exe -
Executes dropped EXE 2 IoCs
Processes:
wOMQUkcA.exenugMEQok.exepid process 4312 wOMQUkcA.exe 1488 nugMEQok.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exewOMQUkcA.exenugMEQok.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wOMQUkcA.exe = "C:\\Users\\Admin\\tqAAUMkU\\wOMQUkcA.exe" 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nugMEQok.exe = "C:\\ProgramData\\aqQgIgcs\\nugMEQok.exe" 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wOMQUkcA.exe = "C:\\Users\\Admin\\tqAAUMkU\\wOMQUkcA.exe" wOMQUkcA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nugMEQok.exe = "C:\\ProgramData\\aqQgIgcs\\nugMEQok.exe" nugMEQok.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OCAsUwkM.exe = "C:\\Users\\Admin\\VYoQUkAQ\\OCAsUwkM.exe" 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rIIIUMgc.exe = "C:\\ProgramData\\iSQQoYMc\\rIIIUMgc.exe" 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe -
Drops file in System32 directory 2 IoCs
Processes:
wOMQUkcA.exedescription ioc process File created C:\Windows\SysWOW64\shell32.dll.exe wOMQUkcA.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe wOMQUkcA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1860 932 WerFault.exe rIIIUMgc.exe 4132 5000 WerFault.exe OCAsUwkM.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2996 reg.exe 2400 reg.exe 3976 reg.exe 4708 reg.exe 5000 reg.exe 824 reg.exe 4856 reg.exe 1052 reg.exe 4556 reg.exe 4772 reg.exe 4208 reg.exe 4008 reg.exe 4368 reg.exe 1656 reg.exe 2640 reg.exe 4516 reg.exe 1500 reg.exe 1096 reg.exe 1820 reg.exe 3528 reg.exe 1272 reg.exe 3628 reg.exe 1816 reg.exe 4544 reg.exe 2148 reg.exe 4284 reg.exe 2800 reg.exe 3280 reg.exe 4860 reg.exe 1656 reg.exe 4512 reg.exe 2692 reg.exe 2800 reg.exe 4780 reg.exe 2948 reg.exe 3980 reg.exe 4228 reg.exe 1824 reg.exe 3276 reg.exe 5052 reg.exe 3276 reg.exe 3956 reg.exe 832 reg.exe 4228 reg.exe 4696 reg.exe 2812 reg.exe 3676 reg.exe 3628 reg.exe 2724 reg.exe 4284 reg.exe 3368 reg.exe 2864 reg.exe 3452 reg.exe 4352 reg.exe 2812 reg.exe 3920 reg.exe 1836 reg.exe 4620 reg.exe 340 reg.exe 2732 reg.exe 4780 reg.exe 1464 reg.exe 3560 reg.exe 2584 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exepid process 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1588 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1588 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1588 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1588 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 492 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 492 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 492 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 492 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 956 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 956 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 956 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 956 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3056 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3056 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3056 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3056 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3568 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3568 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3568 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3568 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1540 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1540 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1540 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 1540 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3544 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3544 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3544 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3544 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 4252 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 4252 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 4252 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 4252 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2236 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2236 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2236 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2236 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 116 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 116 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 116 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 116 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2340 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2340 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2340 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2340 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2592 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2592 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2592 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 2592 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3480 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3480 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3480 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe 3480 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
wOMQUkcA.exepid process 4312 wOMQUkcA.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
wOMQUkcA.exepid process 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe 4312 wOMQUkcA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.execmd.execmd.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.execmd.execmd.exe2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.execmd.exedescription pid process target process PID 2692 wrote to memory of 4312 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe wOMQUkcA.exe PID 2692 wrote to memory of 4312 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe wOMQUkcA.exe PID 2692 wrote to memory of 4312 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe wOMQUkcA.exe PID 2692 wrote to memory of 1488 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe nugMEQok.exe PID 2692 wrote to memory of 1488 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe nugMEQok.exe PID 2692 wrote to memory of 1488 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe nugMEQok.exe PID 2692 wrote to memory of 4700 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2692 wrote to memory of 4700 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2692 wrote to memory of 4700 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2692 wrote to memory of 1280 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2692 wrote to memory of 1280 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2692 wrote to memory of 1280 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2692 wrote to memory of 3512 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2692 wrote to memory of 3512 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2692 wrote to memory of 3512 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2692 wrote to memory of 3636 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2692 wrote to memory of 3636 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2692 wrote to memory of 3636 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 2692 wrote to memory of 1236 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2692 wrote to memory of 1236 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2692 wrote to memory of 1236 2692 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 4700 wrote to memory of 3908 4700 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 4700 wrote to memory of 3908 4700 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 4700 wrote to memory of 3908 4700 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 1236 wrote to memory of 2864 1236 cmd.exe cscript.exe PID 1236 wrote to memory of 2864 1236 cmd.exe cscript.exe PID 1236 wrote to memory of 2864 1236 cmd.exe cscript.exe PID 3908 wrote to memory of 2800 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 3908 wrote to memory of 2800 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 3908 wrote to memory of 2800 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 3908 wrote to memory of 2824 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 3908 wrote to memory of 2824 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 3908 wrote to memory of 2824 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 3908 wrote to memory of 2988 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 3908 wrote to memory of 2988 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 3908 wrote to memory of 2988 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 3908 wrote to memory of 2712 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 3908 wrote to memory of 2712 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 3908 wrote to memory of 2712 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 3908 wrote to memory of 2684 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 3908 wrote to memory of 2684 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 3908 wrote to memory of 2684 3908 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 2800 wrote to memory of 736 2800 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2800 wrote to memory of 736 2800 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2800 wrote to memory of 736 2800 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe PID 2684 wrote to memory of 712 2684 cmd.exe cscript.exe PID 2684 wrote to memory of 712 2684 cmd.exe cscript.exe PID 2684 wrote to memory of 712 2684 cmd.exe cscript.exe PID 736 wrote to memory of 696 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 736 wrote to memory of 696 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 736 wrote to memory of 696 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 736 wrote to memory of 3052 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 736 wrote to memory of 3052 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 736 wrote to memory of 3052 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 736 wrote to memory of 4460 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 736 wrote to memory of 4460 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 736 wrote to memory of 4460 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 736 wrote to memory of 3560 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 736 wrote to memory of 3560 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 736 wrote to memory of 3560 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe reg.exe PID 736 wrote to memory of 1780 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 736 wrote to memory of 1780 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 736 wrote to memory of 1780 736 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe cmd.exe PID 696 wrote to memory of 1588 696 cmd.exe 2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe"C:\Users\Admin\tqAAUMkU\wOMQUkcA.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4312
-
-
C:\ProgramData\aqQgIgcs\nugMEQok.exe"C:\ProgramData\aqQgIgcs\nugMEQok.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"8⤵PID:3116
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"10⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"12⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"14⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"16⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"18⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"20⤵PID:528
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"22⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"24⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"26⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"28⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"30⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"32⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock33⤵PID:2584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"34⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock35⤵PID:3604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"36⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock37⤵PID:3736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"38⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock39⤵PID:4924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"40⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock41⤵PID:340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"42⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock43⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"44⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock45⤵PID:1468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"46⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock47⤵PID:2500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"48⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock49⤵PID:1800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"50⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock51⤵PID:4288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"52⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock53⤵PID:4236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"54⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock55⤵PID:4228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"56⤵PID:2500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock57⤵PID:4944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"58⤵PID:1696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV159⤵PID:1656
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock59⤵PID:3396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"60⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock61⤵PID:4468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"62⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock63⤵PID:3020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"64⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock65⤵PID:3936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"66⤵PID:4360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:4944
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock67⤵PID:3352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"68⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock69⤵PID:1124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"70⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock71⤵PID:4680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"72⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock73⤵PID:4504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"74⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock75⤵PID:2436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"76⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock77⤵PID:4328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"78⤵PID:2784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:3468
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock79⤵PID:1476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"80⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock81⤵PID:4928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"82⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock83⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"84⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock85⤵PID:3172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"86⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock87⤵PID:1228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"88⤵PID:3560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock89⤵PID:3116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"90⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock91⤵PID:712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"92⤵PID:2328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:4276
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock93⤵PID:1096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"94⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock95⤵PID:3872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"96⤵PID:2988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵PID:3684
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock97⤵PID:1512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"98⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock99⤵PID:2100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"100⤵PID:4092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock101⤵PID:4140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"102⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock103⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"104⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock105⤵PID:2888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"106⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock107⤵PID:2876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"108⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock109⤵PID:4628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"110⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock111⤵PID:1680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"112⤵PID:696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock113⤵PID:3116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"114⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock115⤵PID:4068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"116⤵PID:2400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock117⤵PID:2876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"118⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock119⤵PID:3524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"120⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock121⤵PID:116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_29df57be6e75f670b1d223ce4733a587_virlock"122⤵PID:456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-