Analysis
-
max time kernel
150s -
max time network
87s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/01/2024, 22:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ViraLock.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
ViraLock.exe
Resource
win10-20231215-en
windows10-1703-x64
16 signatures
150 seconds
Behavioral task
behavioral3
Sample
ViraLock.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
16 signatures
150 seconds
Behavioral task
behavioral4
Sample
ViraLock.exe
Resource
win11-20231215-en
windows11-21h2-x64
15 signatures
150 seconds
General
-
Target
ViraLock.exe
-
Size
194KB
-
MD5
8803d517ac24b157431d8a462302b400
-
SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
-
SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
-
SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
SSDEEP
3072:slkfrcHVaq65Oe/ALwm19MYDzMLGquSOt+nSmgevSvoWAnvN0bfINcfln8rvK:Wkfrc0q47/UwQFSFnH9SArvakSflnCS
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 1484 NCkEwEcI.exe 3796 LOgAwYQU.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Run\NCkEwEcI.exe = "C:\\Users\\Admin\\TYIEIgYM\\NCkEwEcI.exe" ViraLock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOgAwYQU.exe = "C:\\ProgramData\\WcMIscsM\\LOgAwYQU.exe" ViraLock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOgAwYQU.exe = "C:\\ProgramData\\WcMIscsM\\LOgAwYQU.exe" LOgAwYQU.exe Set value (str) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Run\NCkEwEcI.exe = "C:\\Users\\Admin\\TYIEIgYM\\NCkEwEcI.exe" NCkEwEcI.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe LOgAwYQU.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe LOgAwYQU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 2724 reg.exe 2544 reg.exe 1052 reg.exe 4480 reg.exe 5016 reg.exe 3052 Process not Found 1652 Process not Found 4232 reg.exe 2424 reg.exe 2484 reg.exe 4944 reg.exe 2120 reg.exe 3224 reg.exe 1516 reg.exe 3752 reg.exe 1504 Process not Found 1032 Process not Found 2032 reg.exe 2120 reg.exe 5076 reg.exe 744 reg.exe 2776 reg.exe 2304 Process not Found 4632 reg.exe 4948 reg.exe 2376 Process not Found 1204 reg.exe 2624 reg.exe 3468 reg.exe 4364 reg.exe 2464 reg.exe 2020 reg.exe 1732 reg.exe 3220 reg.exe 640 reg.exe 572 reg.exe 4800 reg.exe 4972 reg.exe 1428 reg.exe 1732 reg.exe 396 Process not Found 1652 reg.exe 2684 Process not Found 1760 reg.exe 3964 reg.exe 3364 reg.exe 1628 reg.exe 5084 reg.exe 780 reg.exe 3728 reg.exe 2588 reg.exe 436 reg.exe 3460 Process not Found 4200 reg.exe 3952 reg.exe 4352 reg.exe 1608 reg.exe 1972 reg.exe 1808 Process not Found 880 reg.exe 1948 reg.exe 4516 reg.exe 1568 reg.exe 3728 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4660 ViraLock.exe 4660 ViraLock.exe 4660 ViraLock.exe 4660 ViraLock.exe 3440 ViraLock.exe 3440 ViraLock.exe 3440 ViraLock.exe 3440 ViraLock.exe 3336 ViraLock.exe 3336 ViraLock.exe 3336 ViraLock.exe 3336 ViraLock.exe 2128 ViraLock.exe 2128 ViraLock.exe 2128 ViraLock.exe 2128 ViraLock.exe 2544 ViraLock.exe 2544 ViraLock.exe 2544 ViraLock.exe 2544 ViraLock.exe 1656 ViraLock.exe 1656 ViraLock.exe 1656 ViraLock.exe 1656 ViraLock.exe 480 ViraLock.exe 480 ViraLock.exe 480 ViraLock.exe 480 ViraLock.exe 1020 ViraLock.exe 1020 ViraLock.exe 1020 ViraLock.exe 1020 ViraLock.exe 1032 ViraLock.exe 1032 ViraLock.exe 1032 ViraLock.exe 1032 ViraLock.exe 2912 ViraLock.exe 2912 ViraLock.exe 2912 ViraLock.exe 2912 ViraLock.exe 4508 ViraLock.exe 4508 ViraLock.exe 4508 ViraLock.exe 4508 ViraLock.exe 4436 ViraLock.exe 4436 ViraLock.exe 4436 ViraLock.exe 4436 ViraLock.exe 3864 ViraLock.exe 3864 ViraLock.exe 3864 ViraLock.exe 3864 ViraLock.exe 3916 ViraLock.exe 3916 ViraLock.exe 3916 ViraLock.exe 3916 ViraLock.exe 4060 ViraLock.exe 4060 ViraLock.exe 4060 ViraLock.exe 4060 ViraLock.exe 1504 ViraLock.exe 1504 ViraLock.exe 1504 ViraLock.exe 1504 ViraLock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3796 LOgAwYQU.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe 3796 LOgAwYQU.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4660 wrote to memory of 1484 4660 ViraLock.exe 77 PID 4660 wrote to memory of 1484 4660 ViraLock.exe 77 PID 4660 wrote to memory of 1484 4660 ViraLock.exe 77 PID 4660 wrote to memory of 3796 4660 ViraLock.exe 78 PID 4660 wrote to memory of 3796 4660 ViraLock.exe 78 PID 4660 wrote to memory of 3796 4660 ViraLock.exe 78 PID 4660 wrote to memory of 4560 4660 ViraLock.exe 79 PID 4660 wrote to memory of 4560 4660 ViraLock.exe 79 PID 4660 wrote to memory of 4560 4660 ViraLock.exe 79 PID 4660 wrote to memory of 3224 4660 ViraLock.exe 81 PID 4660 wrote to memory of 3224 4660 ViraLock.exe 81 PID 4660 wrote to memory of 3224 4660 ViraLock.exe 81 PID 4660 wrote to memory of 3664 4660 ViraLock.exe 84 PID 4660 wrote to memory of 3664 4660 ViraLock.exe 84 PID 4660 wrote to memory of 3664 4660 ViraLock.exe 84 PID 4660 wrote to memory of 3560 4660 ViraLock.exe 83 PID 4660 wrote to memory of 3560 4660 ViraLock.exe 83 PID 4660 wrote to memory of 3560 4660 ViraLock.exe 83 PID 4660 wrote to memory of 4184 4660 ViraLock.exe 82 PID 4660 wrote to memory of 4184 4660 ViraLock.exe 82 PID 4660 wrote to memory of 4184 4660 ViraLock.exe 82 PID 4560 wrote to memory of 3440 4560 cmd.exe 89 PID 4560 wrote to memory of 3440 4560 cmd.exe 89 PID 4560 wrote to memory of 3440 4560 cmd.exe 89 PID 4184 wrote to memory of 4240 4184 cmd.exe 90 PID 4184 wrote to memory of 4240 4184 cmd.exe 90 PID 4184 wrote to memory of 4240 4184 cmd.exe 90 PID 3440 wrote to memory of 736 3440 ViraLock.exe 91 PID 3440 wrote to memory of 736 3440 ViraLock.exe 91 PID 3440 wrote to memory of 736 3440 ViraLock.exe 91 PID 736 wrote to memory of 3336 736 cmd.exe 93 PID 736 wrote to memory of 3336 736 cmd.exe 93 PID 736 wrote to memory of 3336 736 cmd.exe 93 PID 3440 wrote to memory of 2776 3440 ViraLock.exe 94 PID 3440 wrote to memory of 2776 3440 ViraLock.exe 94 PID 3440 wrote to memory of 2776 3440 ViraLock.exe 94 PID 3440 wrote to memory of 420 3440 ViraLock.exe 95 PID 3440 wrote to memory of 420 3440 ViraLock.exe 95 PID 3440 wrote to memory of 420 3440 ViraLock.exe 95 PID 3440 wrote to memory of 4144 3440 ViraLock.exe 96 PID 3440 wrote to memory of 4144 3440 ViraLock.exe 96 PID 3440 wrote to memory of 4144 3440 ViraLock.exe 96 PID 3440 wrote to memory of 1576 3440 ViraLock.exe 97 PID 3440 wrote to memory of 1576 3440 ViraLock.exe 97 PID 3440 wrote to memory of 1576 3440 ViraLock.exe 97 PID 1576 wrote to memory of 3484 1576 cmd.exe 102 PID 1576 wrote to memory of 3484 1576 cmd.exe 102 PID 1576 wrote to memory of 3484 1576 cmd.exe 102 PID 3336 wrote to memory of 1764 3336 ViraLock.exe 103 PID 3336 wrote to memory of 1764 3336 ViraLock.exe 103 PID 3336 wrote to memory of 1764 3336 ViraLock.exe 103 PID 3336 wrote to memory of 396 3336 ViraLock.exe 105 PID 3336 wrote to memory of 396 3336 ViraLock.exe 105 PID 3336 wrote to memory of 396 3336 ViraLock.exe 105 PID 3336 wrote to memory of 3152 3336 ViraLock.exe 106 PID 3336 wrote to memory of 3152 3336 ViraLock.exe 106 PID 3336 wrote to memory of 3152 3336 ViraLock.exe 106 PID 3336 wrote to memory of 4872 3336 ViraLock.exe 107 PID 3336 wrote to memory of 4872 3336 ViraLock.exe 107 PID 3336 wrote to memory of 4872 3336 ViraLock.exe 107 PID 3336 wrote to memory of 5084 3336 ViraLock.exe 108 PID 3336 wrote to memory of 5084 3336 ViraLock.exe 108 PID 3336 wrote to memory of 5084 3336 ViraLock.exe 108 PID 1764 wrote to memory of 2128 1764 cmd.exe 109 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found
Processes
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\TYIEIgYM\NCkEwEcI.exe"C:\Users\Admin\TYIEIgYM\NCkEwEcI.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1484
-
-
C:\ProgramData\WcMIscsM\LOgAwYQU.exe"C:\ProgramData\WcMIscsM\LOgAwYQU.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"2⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"4⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"6⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"8⤵PID:716
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"10⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"12⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"14⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"16⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"18⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"20⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"22⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"24⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"26⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"28⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"30⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"32⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock33⤵PID:4680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"34⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock35⤵PID:4868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"36⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock37⤵PID:4200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"38⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock39⤵PID:1440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"40⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock41⤵PID:1776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"42⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock43⤵PID:2828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"44⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock45⤵PID:4556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"46⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock47⤵PID:3320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"48⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock49⤵PID:3704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"50⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock51⤵PID:4840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"52⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock53⤵PID:2724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"54⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock55⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"56⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock57⤵PID:4676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"58⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock59⤵PID:1324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"60⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock61⤵PID:3144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"62⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock63⤵PID:4188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"64⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock65⤵PID:1932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"66⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock67⤵PID:1476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"68⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock69⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"70⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock71⤵PID:2356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"72⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock73⤵PID:772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"74⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock75⤵PID:948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"76⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock77⤵PID:4060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"78⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock79⤵PID:3948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"80⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock81⤵PID:4848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"82⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock83⤵PID:3992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"84⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock85⤵PID:4828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"86⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock87⤵PID:2996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"88⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock89⤵PID:4808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"90⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock91⤵PID:1960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"92⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock93⤵PID:2268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"94⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock95⤵PID:2420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"96⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock97⤵PID:2376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"98⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock99⤵PID:2588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"100⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock101⤵PID:2696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"102⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock103⤵PID:1480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"104⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock105⤵PID:3808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"106⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock107⤵PID:2912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"108⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock109⤵PID:3888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"110⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock111⤵PID:2452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"112⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock113⤵PID:1932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"114⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock115⤵PID:736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"116⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock117⤵PID:4672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"118⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock119⤵PID:5064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"120⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock121⤵PID:2464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-