Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe
-
Size
464KB
-
MD5
f2738ed34ded05aa382f6ea9f36fb112
-
SHA1
1e307deb03c59a980332ce0cc16c37a1043518da
-
SHA256
c411e8cd1d9dcd8969d344cda702742e9e74e5b8aad93289df1e3b5bde823116
-
SHA512
e88a779f0d8a394d46e4f2558d60371f87c99d85220683ca2ad6c961ac360329e600dd3aa8059e0b2de03987e207ccb14f9059a571aad7c4b2c056aceb4554d8
-
SSDEEP
6144:KWWzV1wyFYMc+U46kKkBDo3MuKAkZedPVrfdnvDEbbybKLzVBy/kncTNlpoaSCrE:A1w08YA4WPpdnbAYl8ncxlugE
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (65) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
uckAUEgE.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation uckAUEgE.exe -
Executes dropped EXE 2 IoCs
Processes:
DSYIckcs.exeuckAUEgE.exepid Process 1632 DSYIckcs.exe 2860 uckAUEgE.exe -
Loads dropped DLL 20 IoCs
Processes:
2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeuckAUEgE.exepid Process 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeuckAUEgE.exeDSYIckcs.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\DSYIckcs.exe = "C:\\Users\\Admin\\fAMQkMkE\\DSYIckcs.exe" 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uckAUEgE.exe = "C:\\ProgramData\\pSAcEAgE\\uckAUEgE.exe" 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uckAUEgE.exe = "C:\\ProgramData\\pSAcEAgE\\uckAUEgE.exe" uckAUEgE.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\DSYIckcs.exe = "C:\\Users\\Admin\\fAMQkMkE\\DSYIckcs.exe" DSYIckcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZoYsEUEI.exe = "C:\\Users\\Admin\\XuMkEgco\\ZoYsEUEI.exe" 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eQsoIMQY.exe = "C:\\ProgramData\\BCcYwkow\\eQsoIMQY.exe" 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 2668 2428 WerFault.exe 318 2144 1888 WerFault.exe 320 -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid Process 1576 reg.exe 572 reg.exe 1268 reg.exe 2444 reg.exe 3048 reg.exe 1744 reg.exe 1360 reg.exe 1792 reg.exe 2648 reg.exe 1668 reg.exe 2828 reg.exe 2820 reg.exe 2800 reg.exe 1684 reg.exe 2508 reg.exe 3020 reg.exe 2632 reg.exe 2572 reg.exe 2656 reg.exe 2856 reg.exe 1104 reg.exe 2684 reg.exe 2624 reg.exe 1968 reg.exe 2372 reg.exe 2840 reg.exe 1096 reg.exe 308 reg.exe 1948 reg.exe 852 reg.exe 1104 reg.exe 588 reg.exe 2808 reg.exe 1748 reg.exe 1960 reg.exe 1028 reg.exe 2548 reg.exe 2728 reg.exe 2388 reg.exe 2612 reg.exe 1152 reg.exe 2980 reg.exe 1296 reg.exe 1616 reg.exe 3004 reg.exe 2520 reg.exe 1804 reg.exe 1804 reg.exe 2256 reg.exe 1836 reg.exe 1572 reg.exe 336 reg.exe 1128 reg.exe 1940 reg.exe 1444 reg.exe 1900 reg.exe 2612 reg.exe 1716 reg.exe 1356 reg.exe 748 reg.exe 1836 reg.exe 2292 reg.exe 2656 reg.exe 2296 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exepid Process 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2992 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2992 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2936 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2936 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1944 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1944 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2036 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2036 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2364 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2364 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2724 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2724 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2768 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2768 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2856 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2856 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 404 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 404 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1600 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1600 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2568 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2568 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2628 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2628 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2564 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2564 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1748 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1748 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2756 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2756 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 748 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 748 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1040 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1040 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2884 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2884 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1448 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1448 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 268 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 268 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 328 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 328 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 272 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 272 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2124 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2124 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2536 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2536 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2972 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2972 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 560 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 560 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 328 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 328 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 600 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 600 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2852 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 2852 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1700 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 1700 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
uckAUEgE.exepid Process 2860 uckAUEgE.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
uckAUEgE.exepid Process 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe 2860 uckAUEgE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.execmd.execmd.exe2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.execmd.execmd.exedescription pid Process procid_target PID 2292 wrote to memory of 1632 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 28 PID 2292 wrote to memory of 1632 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 28 PID 2292 wrote to memory of 1632 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 28 PID 2292 wrote to memory of 1632 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 28 PID 2292 wrote to memory of 2860 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 29 PID 2292 wrote to memory of 2860 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 29 PID 2292 wrote to memory of 2860 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 29 PID 2292 wrote to memory of 2860 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 29 PID 2292 wrote to memory of 2680 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 30 PID 2292 wrote to memory of 2680 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 30 PID 2292 wrote to memory of 2680 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 30 PID 2292 wrote to memory of 2680 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 30 PID 2680 wrote to memory of 2604 2680 cmd.exe 33 PID 2680 wrote to memory of 2604 2680 cmd.exe 33 PID 2680 wrote to memory of 2604 2680 cmd.exe 33 PID 2680 wrote to memory of 2604 2680 cmd.exe 33 PID 2292 wrote to memory of 2612 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 32 PID 2292 wrote to memory of 2612 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 32 PID 2292 wrote to memory of 2612 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 32 PID 2292 wrote to memory of 2612 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 32 PID 2292 wrote to memory of 2828 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 34 PID 2292 wrote to memory of 2828 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 34 PID 2292 wrote to memory of 2828 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 34 PID 2292 wrote to memory of 2828 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 34 PID 2292 wrote to memory of 1968 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 36 PID 2292 wrote to memory of 1968 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 36 PID 2292 wrote to memory of 1968 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 36 PID 2292 wrote to memory of 1968 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 36 PID 2292 wrote to memory of 2476 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 39 PID 2292 wrote to memory of 2476 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 39 PID 2292 wrote to memory of 2476 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 39 PID 2292 wrote to memory of 2476 2292 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 39 PID 2476 wrote to memory of 2956 2476 cmd.exe 41 PID 2476 wrote to memory of 2956 2476 cmd.exe 41 PID 2476 wrote to memory of 2956 2476 cmd.exe 41 PID 2476 wrote to memory of 2956 2476 cmd.exe 41 PID 2604 wrote to memory of 1640 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 42 PID 2604 wrote to memory of 1640 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 42 PID 2604 wrote to memory of 1640 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 42 PID 2604 wrote to memory of 1640 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 42 PID 1640 wrote to memory of 2992 1640 cmd.exe 44 PID 1640 wrote to memory of 2992 1640 cmd.exe 44 PID 1640 wrote to memory of 2992 1640 cmd.exe 44 PID 1640 wrote to memory of 2992 1640 cmd.exe 44 PID 2604 wrote to memory of 2240 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 45 PID 2604 wrote to memory of 2240 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 45 PID 2604 wrote to memory of 2240 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 45 PID 2604 wrote to memory of 2240 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 45 PID 2604 wrote to memory of 1744 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 46 PID 2604 wrote to memory of 1744 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 46 PID 2604 wrote to memory of 1744 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 46 PID 2604 wrote to memory of 1744 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 46 PID 2604 wrote to memory of 2060 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 48 PID 2604 wrote to memory of 2060 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 48 PID 2604 wrote to memory of 2060 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 48 PID 2604 wrote to memory of 2060 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 48 PID 2604 wrote to memory of 2764 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 51 PID 2604 wrote to memory of 2764 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 51 PID 2604 wrote to memory of 2764 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 51 PID 2604 wrote to memory of 2764 2604 2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe 51 PID 2764 wrote to memory of 2756 2764 cmd.exe 53 PID 2764 wrote to memory of 2756 2764 cmd.exe 53 PID 2764 wrote to memory of 2756 2764 cmd.exe 53 PID 2764 wrote to memory of 2756 2764 cmd.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\fAMQkMkE\DSYIckcs.exe"C:\Users\Admin\fAMQkMkE\DSYIckcs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1632
-
-
C:\ProgramData\pSAcEAgE\uckAUEgE.exe"C:\ProgramData\pSAcEAgE\uckAUEgE.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2860
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"6⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"8⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"10⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"12⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"14⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"16⤵PID:348
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"18⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"20⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:404 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"22⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"24⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2568 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"26⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"28⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"30⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"32⤵PID:600
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"34⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:748 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"36⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1040 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"38⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"40⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"42⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:268 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"44⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:328 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"46⤵PID:600
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:272 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"48⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock49⤵
- Adds Run key to start application
PID:2356 -
C:\Users\Admin\XuMkEgco\ZoYsEUEI.exe"C:\Users\Admin\XuMkEgco\ZoYsEUEI.exe"50⤵PID:2428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 3651⤵
- Program crash
PID:2668
-
-
-
C:\ProgramData\BCcYwkow\eQsoIMQY.exe"C:\ProgramData\BCcYwkow\eQsoIMQY.exe"50⤵PID:1888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 3651⤵
- Program crash
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"50⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"52⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"54⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"56⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:560 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"58⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:328 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"60⤵PID:272
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:600 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"62⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"64⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock65⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"66⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock67⤵PID:1128
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"68⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock69⤵PID:2904
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"70⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock71⤵PID:2728
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"72⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock73⤵PID:1836
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"74⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock75⤵PID:2036
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"76⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock77⤵PID:2532
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"78⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock79⤵PID:1516
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"80⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock81⤵PID:1764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"82⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock83⤵PID:2904
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"84⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock85⤵PID:756
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"86⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock87⤵PID:1596
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"88⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock89⤵PID:2480
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"90⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock91⤵PID:2220
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"92⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock93⤵PID:2856
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"94⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock95⤵PID:2040
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"96⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock97⤵PID:2648
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"98⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock99⤵PID:3064
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"100⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock101⤵PID:1596
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"102⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock103⤵PID:1252
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"104⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock105⤵PID:1128
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"106⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock107⤵PID:2416
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"108⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock109⤵PID:604
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"110⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock111⤵PID:1456
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"112⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock113⤵PID:3016
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"114⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock115⤵PID:1252
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"116⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock117⤵PID:1588
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"118⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock119⤵PID:2268
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"120⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock121⤵PID:620
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f2738ed34ded05aa382f6ea9f36fb112_virlock"122⤵PID:2484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-