Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 10:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe
-
Size
196KB
-
MD5
e9ff91b035c87dd83393342e735a28a7
-
SHA1
3b8780a3b0b9fa81d9e2e4c9eb2bde5fb258c7aa
-
SHA256
dc1c31aed64946afa7cedc15497ada98cb15b20b28db91bb5dfa3a08915b934d
-
SHA512
85bcd41c0d140569fea5159b501fca0db87506306a5695e761dc3324fd18fe022742f05ed79ff3ae346c7fc8c8f924a458a38e8560c268b5bf0b863728a6c771
-
SSDEEP
3072:DPbDCEVlW2/PHeAmfG+a8iJLN5bKawv7SxN/MANvWoHpSxp:DyEVlh/GAHLXEbqvVJ
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WewIQwEk.exe -
Executes dropped EXE 2 IoCs
pid Process 3780 WewIQwEk.exe 4948 fKoYYgwc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WewIQwEk.exe = "C:\\Users\\Admin\\tUYswEoQ\\WewIQwEk.exe" 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fKoYYgwc.exe = "C:\\ProgramData\\LiEYcEYw\\fKoYYgwc.exe" 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WewIQwEk.exe = "C:\\Users\\Admin\\tUYswEoQ\\WewIQwEk.exe" WewIQwEk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fKoYYgwc.exe = "C:\\ProgramData\\LiEYcEYw\\fKoYYgwc.exe" fKoYYgwc.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe WewIQwEk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 5000 reg.exe 2740 reg.exe 1288 reg.exe 1664 reg.exe 4828 reg.exe 1920 reg.exe 4380 reg.exe 3248 reg.exe 3928 reg.exe 2932 reg.exe 2328 reg.exe 840 reg.exe 3896 reg.exe 4612 reg.exe 644 reg.exe 1520 reg.exe 2376 reg.exe 1832 reg.exe 5020 reg.exe 3796 reg.exe 4612 reg.exe 1464 reg.exe 840 reg.exe 2324 reg.exe 1780 reg.exe 1680 reg.exe 1388 reg.exe 4696 reg.exe 3060 reg.exe 3896 reg.exe 2792 reg.exe 3588 reg.exe 4424 reg.exe 4088 reg.exe 2076 reg.exe 372 reg.exe 4672 reg.exe 1032 reg.exe 3712 reg.exe 4044 reg.exe 3820 reg.exe 4736 reg.exe 4172 reg.exe 1916 reg.exe 220 reg.exe 4356 reg.exe 4356 reg.exe 2788 reg.exe 4412 reg.exe 800 reg.exe 1748 reg.exe 3232 reg.exe 1296 reg.exe 1908 reg.exe 3596 reg.exe 2804 reg.exe 2304 reg.exe 1848 reg.exe 5052 reg.exe 2624 reg.exe 3008 reg.exe 1676 reg.exe 1948 reg.exe 1832 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 2548 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 2548 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 2548 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 2548 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3592 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3592 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3592 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3592 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3648 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3648 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3648 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3648 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 1804 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 1804 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 1804 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 1804 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3940 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3940 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3940 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3940 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 2624 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 2624 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 2624 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 2624 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3076 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3076 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3076 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 3076 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4064 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4064 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4064 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4064 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4444 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4444 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4444 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4444 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4708 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4708 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4708 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4708 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 216 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 216 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 216 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 216 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4588 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4588 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4588 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4588 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4612 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4612 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4612 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 4612 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3780 WewIQwEk.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe 3780 WewIQwEk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3764 wrote to memory of 3780 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 83 PID 3764 wrote to memory of 3780 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 83 PID 3764 wrote to memory of 3780 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 83 PID 3764 wrote to memory of 4948 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 84 PID 3764 wrote to memory of 4948 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 84 PID 3764 wrote to memory of 4948 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 84 PID 3764 wrote to memory of 4184 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 85 PID 3764 wrote to memory of 4184 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 85 PID 3764 wrote to memory of 4184 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 85 PID 3764 wrote to memory of 4644 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 88 PID 3764 wrote to memory of 4644 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 88 PID 3764 wrote to memory of 4644 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 88 PID 3764 wrote to memory of 3588 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 89 PID 3764 wrote to memory of 3588 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 89 PID 3764 wrote to memory of 3588 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 89 PID 3764 wrote to memory of 3572 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 90 PID 3764 wrote to memory of 3572 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 90 PID 3764 wrote to memory of 3572 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 90 PID 3764 wrote to memory of 1984 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 91 PID 3764 wrote to memory of 1984 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 91 PID 3764 wrote to memory of 1984 3764 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 91 PID 4184 wrote to memory of 4560 4184 cmd.exe 96 PID 4184 wrote to memory of 4560 4184 cmd.exe 96 PID 4184 wrote to memory of 4560 4184 cmd.exe 96 PID 1984 wrote to memory of 4472 1984 cmd.exe 97 PID 1984 wrote to memory of 4472 1984 cmd.exe 97 PID 1984 wrote to memory of 4472 1984 cmd.exe 97 PID 4560 wrote to memory of 3348 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 98 PID 4560 wrote to memory of 3348 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 98 PID 4560 wrote to memory of 3348 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 98 PID 3348 wrote to memory of 1360 3348 cmd.exe 100 PID 3348 wrote to memory of 1360 3348 cmd.exe 100 PID 3348 wrote to memory of 1360 3348 cmd.exe 100 PID 4560 wrote to memory of 840 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 101 PID 4560 wrote to memory of 840 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 101 PID 4560 wrote to memory of 840 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 101 PID 4560 wrote to memory of 1288 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 102 PID 4560 wrote to memory of 1288 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 102 PID 4560 wrote to memory of 1288 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 102 PID 4560 wrote to memory of 1752 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 103 PID 4560 wrote to memory of 1752 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 103 PID 4560 wrote to memory of 1752 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 103 PID 4560 wrote to memory of 2476 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 104 PID 4560 wrote to memory of 2476 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 104 PID 4560 wrote to memory of 2476 4560 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 104 PID 2476 wrote to memory of 2392 2476 cmd.exe 109 PID 2476 wrote to memory of 2392 2476 cmd.exe 109 PID 2476 wrote to memory of 2392 2476 cmd.exe 109 PID 1360 wrote to memory of 3824 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 110 PID 1360 wrote to memory of 3824 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 110 PID 1360 wrote to memory of 3824 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 110 PID 3824 wrote to memory of 2548 3824 cmd.exe 112 PID 3824 wrote to memory of 2548 3824 cmd.exe 112 PID 3824 wrote to memory of 2548 3824 cmd.exe 112 PID 1360 wrote to memory of 3924 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 113 PID 1360 wrote to memory of 3924 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 113 PID 1360 wrote to memory of 3924 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 113 PID 1360 wrote to memory of 668 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 114 PID 1360 wrote to memory of 668 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 114 PID 1360 wrote to memory of 668 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 114 PID 1360 wrote to memory of 3228 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 115 PID 1360 wrote to memory of 3228 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 115 PID 1360 wrote to memory of 3228 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 115 PID 1360 wrote to memory of 1356 1360 2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\tUYswEoQ\WewIQwEk.exe"C:\Users\Admin\tUYswEoQ\WewIQwEk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3780
-
-
C:\ProgramData\LiEYcEYw\fKoYYgwc.exe"C:\ProgramData\LiEYcEYw\fKoYYgwc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"8⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"10⤵PID:4140
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"12⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"14⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"16⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"18⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"20⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"22⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"24⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"26⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"28⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"30⤵PID:3276
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"32⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock33⤵PID:2572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"34⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock35⤵PID:1988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"36⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock37⤵PID:3320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"38⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock39⤵PID:1876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"40⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock41⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"42⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock43⤵PID:3612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"44⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock45⤵PID:3800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"46⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock47⤵PID:3248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"48⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock49⤵PID:4380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"50⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock51⤵PID:1840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"52⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock53⤵PID:4456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"54⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock55⤵PID:4064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"56⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock57⤵PID:4532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"58⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock59⤵PID:5000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"60⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock61⤵PID:4880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"62⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock63⤵PID:1848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"64⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock65⤵PID:4972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"66⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock67⤵PID:1804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"68⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock69⤵PID:840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"70⤵PID:2752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock71⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"72⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock73⤵PID:3828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"74⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock75⤵PID:2452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"76⤵PID:1916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock77⤵PID:4340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"78⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock79⤵PID:4732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"80⤵PID:712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock81⤵PID:3096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"82⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock83⤵PID:4472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"84⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock85⤵PID:2536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"86⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock87⤵PID:1872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"88⤵PID:1484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock89⤵PID:2804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"90⤵PID:1072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock91⤵PID:4732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"92⤵PID:220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:3860
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock93⤵PID:4780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"94⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock95⤵PID:3920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"96⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock97⤵PID:332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"98⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock99⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"100⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock101⤵PID:1484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"102⤵PID:228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock103⤵PID:5116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"104⤵PID:712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock105⤵PID:3472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"106⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock107⤵PID:1240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"108⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock109⤵PID:420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"110⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock111⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"112⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock113⤵PID:1832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"114⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock115⤵PID:4548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"116⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock117⤵PID:4716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"118⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock119⤵PID:1960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"120⤵PID:2304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock121⤵PID:2256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_e9ff91b035c87dd83393342e735a28a7_virlock"122⤵PID:4944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-