Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 10:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe
-
Size
186KB
-
MD5
d3ff61fb3af4a52b08b70dc9369cf264
-
SHA1
350fe15361b4f4f8b0f7e7c84aba2542b374469a
-
SHA256
ce13e35dcdab216ea5a67f021ad9dd14e12b066ee2ac97d72f0b4d6c34e64379
-
SHA512
8f98ec3b1927bd2af948e69e7c4dc6af3fd8745577f2419c768ee074967d4ffb1465a4cdff0a7eb4017eb498392010c0587a5a523c1e2fd2117110b00e6415d9
-
SSDEEP
3072:ttrQtEyTfCeHd5Kv1Z2oyAJVjiLBgJx2z8OpAl9BG5q1S61eQ3Nwzz31G:ttrILqe/ZsJZ4O2z8OpA5G5HFQ3Czb4
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation gmYAscAw.exe -
Executes dropped EXE 2 IoCs
pid Process 3284 HCwQYMko.exe 3492 gmYAscAw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmYAscAw.exe = "C:\\ProgramData\\NmcUAcgo\\gmYAscAw.exe" gmYAscAw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HCwQYMko.exe = "C:\\Users\\Admin\\yeEQwYUA\\HCwQYMko.exe" HCwQYMko.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IiEgkQIM.exe = "C:\\Users\\Admin\\JkAAAEwU\\IiEgkQIM.exe" 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SUEAAIsM.exe = "C:\\ProgramData\\lAoMQcsw\\SUEAAIsM.exe" 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HCwQYMko.exe = "C:\\Users\\Admin\\yeEQwYUA\\HCwQYMko.exe" 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmYAscAw.exe = "C:\\ProgramData\\NmcUAcgo\\gmYAscAw.exe" 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe gmYAscAw.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe gmYAscAw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4780 3708 WerFault.exe 427 244 4748 WerFault.exe 426 -
Modifies registry key 1 TTPs 64 IoCs
pid Process 5020 reg.exe 4732 reg.exe 2084 reg.exe 4600 reg.exe 3772 reg.exe 3852 reg.exe 3420 reg.exe 1316 reg.exe 4764 reg.exe 4756 reg.exe 1576 reg.exe 4940 reg.exe 392 reg.exe 1936 reg.exe 3268 reg.exe 2372 reg.exe 1480 Process not Found 4444 reg.exe 2480 reg.exe 4020 reg.exe 1808 Process not Found 432 reg.exe 644 reg.exe 3348 Process not Found 516 reg.exe 4952 reg.exe 396 reg.exe 2492 reg.exe 3524 reg.exe 1956 reg.exe 216 reg.exe 5000 reg.exe 3040 reg.exe 516 reg.exe 4420 reg.exe 2060 reg.exe 1764 reg.exe 5064 reg.exe 1004 reg.exe 1936 reg.exe 3412 reg.exe 372 Process not Found 2188 reg.exe 892 reg.exe 3224 reg.exe 4656 reg.exe 2052 reg.exe 4352 reg.exe 4524 reg.exe 552 reg.exe 4920 reg.exe 4420 reg.exe 1868 reg.exe 440 reg.exe 2992 reg.exe 2232 reg.exe 4536 reg.exe 3440 reg.exe 4784 reg.exe 4492 reg.exe 2084 reg.exe 1848 reg.exe 516 reg.exe 4684 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 3800 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 3800 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 3800 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 3800 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1796 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1796 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1796 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1796 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4632 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4632 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4632 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4632 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 3096 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 3096 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 3096 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 3096 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4696 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4696 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4696 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4696 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2104 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2104 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2104 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2104 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1636 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1636 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1636 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1636 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 528 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 528 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 528 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 528 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4920 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4920 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4920 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 4920 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2164 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2164 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2164 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 2164 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1988 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1988 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1988 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 1988 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3492 gmYAscAw.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe 3492 gmYAscAw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 3284 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 84 PID 1752 wrote to memory of 3284 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 84 PID 1752 wrote to memory of 3284 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 84 PID 1752 wrote to memory of 3492 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 85 PID 1752 wrote to memory of 3492 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 85 PID 1752 wrote to memory of 3492 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 85 PID 1752 wrote to memory of 940 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 86 PID 1752 wrote to memory of 940 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 86 PID 1752 wrote to memory of 940 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 86 PID 1752 wrote to memory of 1100 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 89 PID 1752 wrote to memory of 1100 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 89 PID 1752 wrote to memory of 1100 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 89 PID 1752 wrote to memory of 3392 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 90 PID 1752 wrote to memory of 3392 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 90 PID 1752 wrote to memory of 3392 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 90 PID 1752 wrote to memory of 4756 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 91 PID 1752 wrote to memory of 4756 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 91 PID 1752 wrote to memory of 4756 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 91 PID 1752 wrote to memory of 3400 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 92 PID 1752 wrote to memory of 3400 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 92 PID 1752 wrote to memory of 3400 1752 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 92 PID 940 wrote to memory of 2208 940 cmd.exe 94 PID 940 wrote to memory of 2208 940 cmd.exe 94 PID 940 wrote to memory of 2208 940 cmd.exe 94 PID 3400 wrote to memory of 1660 3400 cmd.exe 98 PID 3400 wrote to memory of 1660 3400 cmd.exe 98 PID 3400 wrote to memory of 1660 3400 cmd.exe 98 PID 2208 wrote to memory of 4692 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 99 PID 2208 wrote to memory of 4692 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 99 PID 2208 wrote to memory of 4692 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 99 PID 4692 wrote to memory of 4560 4692 cmd.exe 101 PID 4692 wrote to memory of 4560 4692 cmd.exe 101 PID 4692 wrote to memory of 4560 4692 cmd.exe 101 PID 2208 wrote to memory of 4656 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 102 PID 2208 wrote to memory of 4656 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 102 PID 2208 wrote to memory of 4656 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 102 PID 2208 wrote to memory of 1824 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 103 PID 2208 wrote to memory of 1824 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 103 PID 2208 wrote to memory of 1824 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 103 PID 2208 wrote to memory of 3096 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 104 PID 2208 wrote to memory of 3096 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 104 PID 2208 wrote to memory of 3096 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 104 PID 2208 wrote to memory of 3848 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 105 PID 2208 wrote to memory of 3848 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 105 PID 2208 wrote to memory of 3848 2208 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 105 PID 3848 wrote to memory of 3708 3848 cmd.exe 110 PID 3848 wrote to memory of 3708 3848 cmd.exe 110 PID 3848 wrote to memory of 3708 3848 cmd.exe 110 PID 4560 wrote to memory of 1464 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 111 PID 4560 wrote to memory of 1464 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 111 PID 4560 wrote to memory of 1464 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 111 PID 1464 wrote to memory of 3800 1464 cmd.exe 113 PID 1464 wrote to memory of 3800 1464 cmd.exe 113 PID 1464 wrote to memory of 3800 1464 cmd.exe 113 PID 4560 wrote to memory of 4088 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 114 PID 4560 wrote to memory of 4088 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 114 PID 4560 wrote to memory of 4088 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 114 PID 4560 wrote to memory of 1776 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 115 PID 4560 wrote to memory of 1776 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 115 PID 4560 wrote to memory of 1776 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 115 PID 4560 wrote to memory of 3444 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 116 PID 4560 wrote to memory of 3444 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 116 PID 4560 wrote to memory of 3444 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 116 PID 4560 wrote to memory of 3140 4560 2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\yeEQwYUA\HCwQYMko.exe"C:\Users\Admin\yeEQwYUA\HCwQYMko.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3284
-
-
C:\ProgramData\NmcUAcgo\gmYAscAw.exe"C:\ProgramData\NmcUAcgo\gmYAscAw.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"8⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"10⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"12⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"14⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"16⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"18⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"20⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"22⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"24⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"26⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"28⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"30⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"32⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock33⤵PID:4368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"34⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock35⤵PID:2128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"36⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock37⤵PID:3760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"38⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock39⤵PID:4908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"40⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock41⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"42⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock43⤵PID:2448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"44⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock45⤵PID:752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"46⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock47⤵PID:4960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"48⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock49⤵PID:400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"50⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock51⤵PID:4896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"52⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock53⤵PID:4656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"54⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock55⤵PID:624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"56⤵PID:3240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock57⤵
- Adds Run key to start application
PID:1356 -
C:\Users\Admin\JkAAAEwU\IiEgkQIM.exe"C:\Users\Admin\JkAAAEwU\IiEgkQIM.exe"58⤵PID:4748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 22459⤵
- Program crash
PID:244
-
-
-
C:\ProgramData\lAoMQcsw\SUEAAIsM.exe"C:\ProgramData\lAoMQcsw\SUEAAIsM.exe"58⤵PID:3708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 22459⤵
- Program crash
PID:4780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"58⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock59⤵PID:3528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"60⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock61⤵PID:4000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"62⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock63⤵PID:1360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"64⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock65⤵PID:3624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"66⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock67⤵PID:5088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"68⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock69⤵PID:4724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"70⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock71⤵PID:4300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"72⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock73⤵PID:2944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"74⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock75⤵PID:704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"76⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock77⤵PID:3720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"78⤵PID:4388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock79⤵PID:2176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"80⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock81⤵PID:4780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"82⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock83⤵PID:1828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"84⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock85⤵PID:4024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"86⤵PID:528
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock87⤵PID:2504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"88⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock89⤵PID:392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"90⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock91⤵PID:4932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"92⤵PID:764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock93⤵PID:4972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"94⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock95⤵PID:208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"96⤵PID:1092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock97⤵PID:3440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"98⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock99⤵PID:2308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"100⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock101⤵PID:1748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"102⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock103⤵PID:4636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"104⤵PID:3092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:4232
-
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock105⤵PID:4704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"106⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock107⤵PID:208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"108⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock109⤵PID:940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"110⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock111⤵PID:2308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"112⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock113⤵PID:4508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"114⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock115⤵PID:2364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"116⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock117⤵PID:3092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"118⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock119⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"120⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock121⤵PID:1976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_d3ff61fb3af4a52b08b70dc9369cf264_virlock"122⤵PID:3412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-