Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ViraLock.exe
Resource
win7-20240221-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ViraLock.exe
Resource
win10v2004-20240226-en
1 signatures
150 seconds
General
-
Target
ViraLock.exe
-
Size
194KB
-
MD5
8803d517ac24b157431d8a462302b400
-
SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
-
SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
-
SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
SSDEEP
3072:slkfrcHVaq65Oe/ALwm19MYDzMLGquSOt+nSmgevSvoWAnvN0bfINcfln8rvK:Wkfrc0q47/UwQFSFnH9SArvakSflnCS
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 53 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 2528 TUcIIAcg.exe 2688 LeUkcQss.exe -
Loads dropped DLL 8 IoCs
pid Process 2060 ViraLock.exe 2060 ViraLock.exe 2060 ViraLock.exe 2060 ViraLock.exe 2528 TUcIIAcg.exe 2528 TUcIIAcg.exe 2528 TUcIIAcg.exe 2528 TUcIIAcg.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LeUkcQss.exe = "C:\\ProgramData\\GkEwEMwg\\LeUkcQss.exe" ViraLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUcIIAcg.exe = "C:\\Users\\Admin\\fIwEgMMk\\TUcIIAcg.exe" TUcIIAcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LeUkcQss.exe = "C:\\ProgramData\\GkEwEMwg\\LeUkcQss.exe" LeUkcQss.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUcIIAcg.exe = "C:\\Users\\Admin\\fIwEgMMk\\TUcIIAcg.exe" ViraLock.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2412 reg.exe 336 reg.exe 2348 reg.exe 1612 reg.exe 2532 reg.exe 1660 reg.exe 2960 reg.exe 2564 reg.exe 1080 reg.exe 1796 reg.exe 3004 reg.exe 2508 reg.exe 560 reg.exe 1636 reg.exe 2444 reg.exe 1356 reg.exe 2780 reg.exe 1244 reg.exe 1536 reg.exe 2448 reg.exe 1804 reg.exe 3000 reg.exe 2220 reg.exe 2556 reg.exe 1940 reg.exe 1428 reg.exe 1764 reg.exe 1920 reg.exe 2392 reg.exe 1500 reg.exe 2788 reg.exe 2732 reg.exe 2448 reg.exe 1508 reg.exe 1280 reg.exe 1808 reg.exe 2284 reg.exe 1636 reg.exe 1344 reg.exe 920 reg.exe 940 reg.exe 1356 reg.exe 2536 reg.exe 812 reg.exe 2812 reg.exe 864 reg.exe 528 reg.exe 2416 reg.exe 1468 reg.exe 936 reg.exe 1080 reg.exe 1276 reg.exe 1508 reg.exe 1968 reg.exe 2916 reg.exe 1724 reg.exe 2480 reg.exe 2760 reg.exe 2600 reg.exe 2520 reg.exe 2420 reg.exe 2060 reg.exe 2604 reg.exe 3064 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2060 ViraLock.exe 2060 ViraLock.exe 2772 ViraLock.exe 2772 ViraLock.exe 2856 ViraLock.exe 2856 ViraLock.exe 960 ViraLock.exe 960 ViraLock.exe 2628 ViraLock.exe 2628 ViraLock.exe 1716 ViraLock.exe 1716 ViraLock.exe 1428 ViraLock.exe 1428 ViraLock.exe 2976 ViraLock.exe 2976 ViraLock.exe 2076 ViraLock.exe 2076 ViraLock.exe 2536 ViraLock.exe 2536 ViraLock.exe 2900 ViraLock.exe 2900 ViraLock.exe 1464 ViraLock.exe 1464 ViraLock.exe 2776 ViraLock.exe 2776 ViraLock.exe 760 ViraLock.exe 760 ViraLock.exe 2976 ViraLock.exe 2976 ViraLock.exe 2504 ViraLock.exe 2504 ViraLock.exe 1100 ViraLock.exe 1100 ViraLock.exe 1316 ViraLock.exe 1316 ViraLock.exe 1580 ViraLock.exe 1580 ViraLock.exe 2908 ViraLock.exe 2908 ViraLock.exe 2096 ViraLock.exe 2096 ViraLock.exe 800 ViraLock.exe 800 ViraLock.exe 2132 ViraLock.exe 2132 ViraLock.exe 1100 ViraLock.exe 1100 ViraLock.exe 3040 ViraLock.exe 3040 ViraLock.exe 2464 ViraLock.exe 2464 ViraLock.exe 476 ViraLock.exe 476 ViraLock.exe 2208 ViraLock.exe 2208 ViraLock.exe 2628 ViraLock.exe 2628 ViraLock.exe 2108 ViraLock.exe 2108 ViraLock.exe 876 ViraLock.exe 876 ViraLock.exe 2588 ViraLock.exe 2588 ViraLock.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2528 2060 ViraLock.exe 27 PID 2060 wrote to memory of 2528 2060 ViraLock.exe 27 PID 2060 wrote to memory of 2528 2060 ViraLock.exe 27 PID 2060 wrote to memory of 2528 2060 ViraLock.exe 27 PID 2060 wrote to memory of 2688 2060 ViraLock.exe 28 PID 2060 wrote to memory of 2688 2060 ViraLock.exe 28 PID 2060 wrote to memory of 2688 2060 ViraLock.exe 28 PID 2060 wrote to memory of 2688 2060 ViraLock.exe 28 PID 2060 wrote to memory of 2440 2060 ViraLock.exe 29 PID 2060 wrote to memory of 2440 2060 ViraLock.exe 29 PID 2060 wrote to memory of 2440 2060 ViraLock.exe 29 PID 2060 wrote to memory of 2440 2060 ViraLock.exe 29 PID 2060 wrote to memory of 2460 2060 ViraLock.exe 31 PID 2060 wrote to memory of 2460 2060 ViraLock.exe 31 PID 2060 wrote to memory of 2460 2060 ViraLock.exe 31 PID 2060 wrote to memory of 2460 2060 ViraLock.exe 31 PID 2440 wrote to memory of 2772 2440 cmd.exe 32 PID 2440 wrote to memory of 2772 2440 cmd.exe 32 PID 2440 wrote to memory of 2772 2440 cmd.exe 32 PID 2440 wrote to memory of 2772 2440 cmd.exe 32 PID 2060 wrote to memory of 2600 2060 ViraLock.exe 33 PID 2060 wrote to memory of 2600 2060 ViraLock.exe 33 PID 2060 wrote to memory of 2600 2060 ViraLock.exe 33 PID 2060 wrote to memory of 2600 2060 ViraLock.exe 33 PID 2060 wrote to memory of 2548 2060 ViraLock.exe 34 PID 2060 wrote to memory of 2548 2060 ViraLock.exe 34 PID 2060 wrote to memory of 2548 2060 ViraLock.exe 34 PID 2060 wrote to memory of 2548 2060 ViraLock.exe 34 PID 2060 wrote to memory of 2512 2060 ViraLock.exe 37 PID 2060 wrote to memory of 2512 2060 ViraLock.exe 37 PID 2060 wrote to memory of 2512 2060 ViraLock.exe 37 PID 2060 wrote to memory of 2512 2060 ViraLock.exe 37 PID 2772 wrote to memory of 2816 2772 ViraLock.exe 40 PID 2772 wrote to memory of 2816 2772 ViraLock.exe 40 PID 2772 wrote to memory of 2816 2772 ViraLock.exe 40 PID 2772 wrote to memory of 2816 2772 ViraLock.exe 40 PID 2512 wrote to memory of 2844 2512 cmd.exe 42 PID 2512 wrote to memory of 2844 2512 cmd.exe 42 PID 2512 wrote to memory of 2844 2512 cmd.exe 42 PID 2512 wrote to memory of 2844 2512 cmd.exe 42 PID 2816 wrote to memory of 2856 2816 cmd.exe 43 PID 2816 wrote to memory of 2856 2816 cmd.exe 43 PID 2816 wrote to memory of 2856 2816 cmd.exe 43 PID 2816 wrote to memory of 2856 2816 cmd.exe 43 PID 2772 wrote to memory of 2960 2772 ViraLock.exe 44 PID 2772 wrote to memory of 2960 2772 ViraLock.exe 44 PID 2772 wrote to memory of 2960 2772 ViraLock.exe 44 PID 2772 wrote to memory of 2960 2772 ViraLock.exe 44 PID 2772 wrote to memory of 3064 2772 ViraLock.exe 45 PID 2772 wrote to memory of 3064 2772 ViraLock.exe 45 PID 2772 wrote to memory of 3064 2772 ViraLock.exe 45 PID 2772 wrote to memory of 3064 2772 ViraLock.exe 45 PID 2772 wrote to memory of 2128 2772 ViraLock.exe 46 PID 2772 wrote to memory of 2128 2772 ViraLock.exe 46 PID 2772 wrote to memory of 2128 2772 ViraLock.exe 46 PID 2772 wrote to memory of 2128 2772 ViraLock.exe 46 PID 2772 wrote to memory of 2676 2772 ViraLock.exe 47 PID 2772 wrote to memory of 2676 2772 ViraLock.exe 47 PID 2772 wrote to memory of 2676 2772 ViraLock.exe 47 PID 2772 wrote to memory of 2676 2772 ViraLock.exe 47 PID 2676 wrote to memory of 1640 2676 cmd.exe 52 PID 2676 wrote to memory of 1640 2676 cmd.exe 52 PID 2676 wrote to memory of 1640 2676 cmd.exe 52 PID 2676 wrote to memory of 1640 2676 cmd.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"C:\Users\Admin\AppData\Local\Temp\ViraLock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe"C:\Users\Admin\fIwEgMMk\TUcIIAcg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2528
-
-
C:\ProgramData\GkEwEMwg\LeUkcQss.exe"C:\ProgramData\GkEwEMwg\LeUkcQss.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2688
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"2⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"4⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"6⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:960 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"8⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"10⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"12⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"14⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2976 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"16⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"18⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"20⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"22⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"24⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"26⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:760 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"28⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2976 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"30⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"32⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"34⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"36⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"38⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"40⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"42⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:800 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"44⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"46⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"48⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"50⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"52⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:476 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"54⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"56⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"58⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"60⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:876 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"62⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2588 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"64⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock65⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"66⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock67⤵PID:1772
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"68⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock69⤵PID:744
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"70⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock71⤵PID:1608
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"72⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock73⤵PID:2028
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"74⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock75⤵PID:2760
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"76⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock77⤵PID:2648
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"78⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock79⤵PID:2276
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"80⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock81⤵PID:824
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"82⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock83⤵PID:2132
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"84⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock85⤵PID:660
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"86⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock87⤵PID:2488
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"88⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock89⤵PID:2772
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"90⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock91⤵PID:2128
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"92⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock93⤵PID:3052
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"94⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock95⤵PID:708
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"96⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock97⤵PID:2892
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"98⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock99⤵PID:1764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"100⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock101⤵PID:680
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"102⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock103⤵PID:2848
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"104⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock105⤵PID:1708
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"106⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock107⤵PID:2076
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"108⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock109⤵PID:2560
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"110⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock111⤵PID:2260
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"112⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock113⤵PID:768
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"114⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock115⤵PID:2548
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"116⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock117⤵PID:1776
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"118⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock119⤵PID:2796
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"120⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\ViraLock.exeC:\Users\Admin\AppData\Local\Temp\ViraLock121⤵PID:1664
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ViraLock"122⤵PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-