Analysis
-
max time kernel
150s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 17:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe
-
Size
204KB
-
MD5
bfbf738fd5d4247871b673a210d78ff0
-
SHA1
38476a8f29ec33644f2439f6cc94db9a1906c9ae
-
SHA256
324d5e5bd8f3bfdc812a4728bd2d95aa68ce1d52a476e73b3abb2d0fe3808f00
-
SHA512
1d256a98f6557653f50dff180b4f12211db33a4f2b57c051299ae5726f94de31c24a561e3892795a00ed1236047064fb432bb58c196a8b506f2ee3433f522720
-
SSDEEP
6144:jiLdwJ5X0SGC7rrYGQJ0qkWfk0NVHlnU7:jSuJ5t2k2nnw
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (88) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kkscoUsI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation kkscoUsI.exe -
Executes dropped EXE 2 IoCs
Processes:
kkscoUsI.exeGqUsgYgQ.exepid process 4920 kkscoUsI.exe 1992 GqUsgYgQ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exekkscoUsI.exeGqUsgYgQ.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GqUsgYgQ.exe = "C:\\ProgramData\\cEgQscYc\\GqUsgYgQ.exe" 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkscoUsI.exe = "C:\\Users\\Admin\\ViQgIMQI\\kkscoUsI.exe" kkscoUsI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GqUsgYgQ.exe = "C:\\ProgramData\\cEgQscYc\\GqUsgYgQ.exe" GqUsgYgQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkscoUsI.exe = "C:\\Users\\Admin\\ViQgIMQI\\kkscoUsI.exe" 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe -
Drops file in System32 directory 1 IoCs
Processes:
kkscoUsI.exedescription ioc process File created C:\Windows\SysWOW64\shell32.dll.exe kkscoUsI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4936 reg.exe 2664 reg.exe 908 reg.exe 2116 reg.exe 1960 reg.exe 3884 reg.exe 3404 reg.exe 4656 reg.exe 4828 reg.exe 4420 reg.exe 3760 reg.exe 1528 reg.exe 4656 reg.exe 3468 reg.exe 2008 reg.exe 1004 reg.exe 4480 2608 reg.exe 2080 reg.exe 220 reg.exe 1232 1112 reg.exe 4228 reg.exe 1184 reg.exe 4868 reg.exe 2656 reg.exe 4460 reg.exe 4916 reg.exe 2788 2064 reg.exe 4588 reg.exe 4564 3256 reg.exe 4020 reg.exe 4820 reg.exe 4752 452 reg.exe 3420 reg.exe 4800 reg.exe 4144 reg.exe 1140 reg.exe 612 reg.exe 3584 reg.exe 4800 reg.exe 5108 reg.exe 2608 reg.exe 4656 reg.exe 2080 reg.exe 2156 reg.exe 2424 reg.exe 60 reg.exe 116 reg.exe 5080 reg.exe 4112 reg.exe 2872 reg.exe 1068 reg.exe 2876 reg.exe 1780 reg.exe 3768 3452 reg.exe 2036 reg.exe 1240 reg.exe 2492 reg.exe 968 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exepid process 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 624 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 624 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 624 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 624 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 908 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 908 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 908 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 908 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4624 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4624 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4624 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4624 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2388 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2388 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2388 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2388 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4408 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4408 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4408 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4408 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2204 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2204 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2204 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2204 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 3300 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 3300 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 3300 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 3300 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4228 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4228 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4228 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4228 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2316 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2316 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2316 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2316 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4816 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4816 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4816 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4816 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4060 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4060 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4060 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 4060 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2776 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2776 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2776 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe 2776 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
kkscoUsI.exepid process 4920 kkscoUsI.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
kkscoUsI.exepid process 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe 4920 kkscoUsI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.execmd.execmd.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.execmd.execmd.exe2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.execmd.exedescription pid process target process PID 1852 wrote to memory of 4920 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe kkscoUsI.exe PID 1852 wrote to memory of 4920 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe kkscoUsI.exe PID 1852 wrote to memory of 4920 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe kkscoUsI.exe PID 1852 wrote to memory of 1992 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe GqUsgYgQ.exe PID 1852 wrote to memory of 1992 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe GqUsgYgQ.exe PID 1852 wrote to memory of 1992 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe GqUsgYgQ.exe PID 1852 wrote to memory of 1236 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 1852 wrote to memory of 1236 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 1852 wrote to memory of 1236 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 1236 wrote to memory of 2640 1236 cmd.exe 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe PID 1236 wrote to memory of 2640 1236 cmd.exe 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe PID 1236 wrote to memory of 2640 1236 cmd.exe 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe PID 1852 wrote to memory of 4800 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1852 wrote to memory of 4800 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1852 wrote to memory of 4800 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1852 wrote to memory of 1064 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1852 wrote to memory of 1064 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1852 wrote to memory of 1064 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1852 wrote to memory of 4656 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1852 wrote to memory of 4656 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1852 wrote to memory of 4656 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1852 wrote to memory of 3812 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 1852 wrote to memory of 3812 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 1852 wrote to memory of 3812 1852 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 3812 wrote to memory of 4660 3812 cmd.exe cscript.exe PID 3812 wrote to memory of 4660 3812 cmd.exe cscript.exe PID 3812 wrote to memory of 4660 3812 cmd.exe cscript.exe PID 2640 wrote to memory of 4524 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 2640 wrote to memory of 4524 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 2640 wrote to memory of 4524 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 4524 wrote to memory of 1580 4524 cmd.exe 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe PID 4524 wrote to memory of 1580 4524 cmd.exe 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe PID 4524 wrote to memory of 1580 4524 cmd.exe 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe PID 2640 wrote to memory of 2272 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 2640 wrote to memory of 2272 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 2640 wrote to memory of 2272 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 2640 wrote to memory of 1112 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 2640 wrote to memory of 1112 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 2640 wrote to memory of 1112 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 2640 wrote to memory of 4112 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 2640 wrote to memory of 4112 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 2640 wrote to memory of 4112 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 2640 wrote to memory of 4472 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 2640 wrote to memory of 4472 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 2640 wrote to memory of 4472 2640 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 4472 wrote to memory of 628 4472 cmd.exe cscript.exe PID 4472 wrote to memory of 628 4472 cmd.exe cscript.exe PID 4472 wrote to memory of 628 4472 cmd.exe cscript.exe PID 1580 wrote to memory of 1136 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 1580 wrote to memory of 1136 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 1580 wrote to memory of 1136 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe PID 1136 wrote to memory of 624 1136 cmd.exe 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe PID 1136 wrote to memory of 624 1136 cmd.exe 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe PID 1136 wrote to memory of 624 1136 cmd.exe 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe PID 1580 wrote to memory of 2664 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1580 wrote to memory of 2664 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1580 wrote to memory of 2664 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1580 wrote to memory of 3140 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1580 wrote to memory of 3140 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1580 wrote to memory of 3140 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1580 wrote to memory of 852 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1580 wrote to memory of 852 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1580 wrote to memory of 852 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe reg.exe PID 1580 wrote to memory of 2516 1580 2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\ViQgIMQI\kkscoUsI.exe"C:\Users\Admin\ViQgIMQI\kkscoUsI.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4920 -
C:\ProgramData\cEgQscYc\GqUsgYgQ.exe"C:\ProgramData\cEgQscYc\GqUsgYgQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"8⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"10⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"12⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"14⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"16⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"18⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"20⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"22⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"24⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"26⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"28⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"30⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"32⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock33⤵PID:3688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"34⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock35⤵PID:2792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"36⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock37⤵PID:4284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"38⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock39⤵PID:2380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"40⤵PID:2288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock41⤵PID:4980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"42⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock43⤵PID:464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"44⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock45⤵PID:3024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"46⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock47⤵PID:3696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"48⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock49⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"50⤵PID:796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock51⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"52⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock53⤵PID:4804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"54⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock55⤵PID:8
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"56⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock57⤵PID:4576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"58⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock59⤵PID:3224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"60⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock61⤵PID:4032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"62⤵PID:2988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock63⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"64⤵PID:4608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock65⤵PID:1036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"66⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock67⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"68⤵PID:4656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock69⤵PID:1444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"70⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock71⤵PID:4788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"72⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock73⤵PID:1184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"74⤵PID:4964
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock75⤵PID:4544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"76⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock77⤵PID:3808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"78⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock79⤵PID:448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"80⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock81⤵PID:1140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"82⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock83⤵PID:4412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"84⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock85⤵PID:644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"86⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock87⤵PID:3544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"88⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock89⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"90⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock91⤵PID:372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"92⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock93⤵PID:1444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"94⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock95⤵PID:876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"96⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock97⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"98⤵PID:848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock99⤵PID:2836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"100⤵PID:4028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock101⤵PID:2052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"102⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock103⤵PID:1188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"104⤵PID:1116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock105⤵PID:2388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"106⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock107⤵PID:4412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"108⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock109⤵PID:3208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"110⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock111⤵PID:4664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"112⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock113⤵PID:4892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"114⤵PID:4872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock115⤵PID:1068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"116⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock117⤵PID:2156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"118⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock119⤵PID:3508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"120⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock121⤵PID:1320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"122⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock123⤵PID:4324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"124⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock125⤵PID:4060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"126⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock127⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"128⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock129⤵PID:4172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"130⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock131⤵PID:4844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"132⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock133⤵PID:4080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"134⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock135⤵PID:4224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"136⤵PID:684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1137⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock137⤵PID:4864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"138⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock139⤵PID:2452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"140⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock141⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"142⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock143⤵PID:1140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"144⤵PID:3744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1145⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock145⤵PID:4528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"146⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock147⤵PID:3572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"148⤵PID:4908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1149⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock149⤵PID:3852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"150⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock151⤵PID:1140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"152⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock153⤵PID:860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"154⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock155⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"156⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock157⤵PID:4996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"158⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock159⤵PID:4844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"160⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock161⤵PID:4672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"162⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock163⤵PID:3080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"164⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock165⤵PID:4512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"166⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock167⤵PID:4980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"168⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock169⤵PID:3024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"170⤵PID:2116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1171⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock171⤵PID:4224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"172⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock173⤵PID:2964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"174⤵PID:32
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock175⤵PID:696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"176⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock177⤵PID:3576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"178⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock179⤵PID:2248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"180⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock181⤵PID:3616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"182⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock183⤵PID:800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"184⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock185⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"186⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock187⤵PID:988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"188⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock189⤵PID:4112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"190⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock191⤵PID:2836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"192⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock193⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"194⤵PID:2220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1195⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock195⤵PID:5080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"196⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock197⤵PID:3152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"198⤵PID:392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1199⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock199⤵PID:4540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"200⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock201⤵PID:5044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"202⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock203⤵PID:1472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"204⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock205⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"206⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock207⤵PID:4844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"208⤵PID:4576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1209⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock209⤵PID:3060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"210⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock211⤵PID:2268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"212⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock213⤵PID:4176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"214⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock215⤵PID:5048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"216⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock217⤵PID:3204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"218⤵PID:2140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1219⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock219⤵PID:4348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"220⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock221⤵PID:2560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"222⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock223⤵PID:464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"224⤵PID:3368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1225⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock225⤵PID:4156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"226⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock227⤵PID:4224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"228⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock229⤵PID:2004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"230⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock231⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"232⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock233⤵PID:3808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"234⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock235⤵PID:2956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"236⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock237⤵PID:372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"238⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock239⤵PID:1688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"240⤵PID:5076
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1241⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock241⤵PID:3212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-14_bfbf738fd5d4247871b673a210d78ff0_virlock"242⤵PID:2012