Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
-
Size
788KB
-
MD5
68c6ceb7c90e70cce7782001a3b7a488
-
SHA1
3fa92a19d64bf04da4fc6c8d247304957677d285
-
SHA256
982b7174957c0375d66d2ba68c5698bf0852110def13aa2889a6caa68563e55a
-
SHA512
614860b8c710d4094e7c1c1cbb6ad70fccfbf96b6bdb466957afc14eb250609e068321e464e68a3cd750b8c9eebf8c9a44a30b38ce6859523921279d8e9db1df
-
SSDEEP
3072:zDueoOjqr4Z6m6LwRYqX+Hjj9iYK23PmiCKkX+Ln/2+yKjIFZ:Weox9JLwRDX+Hjj9i12uiCKV/2+ymw
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (95) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 5 IoCs
flow pid Process 49 2416 Process not Found 53 2416 Process not Found 55 2416 Process not Found 57 2416 Process not Found 61 2416 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dIgkkUYE.exe -
Executes dropped EXE 4 IoCs
pid Process 1872 dIgkkUYE.exe 2064 rqsMQkMc.exe 2644 rqsMQkMc.exe 2304 dIgkkUYE.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rqsMQkMc.exe = "C:\\ProgramData\\juQAMMEY\\rqsMQkMc.exe" rqsMQkMc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIgkkUYE.exe = "C:\\Users\\Admin\\zkAQAMcc\\dIgkkUYE.exe" dIgkkUYE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIgkkUYE.exe = "C:\\Users\\Admin\\zkAQAMcc\\dIgkkUYE.exe" 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rqsMQkMc.exe = "C:\\ProgramData\\juQAMMEY\\rqsMQkMc.exe" 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIgkkUYE.exe = "C:\\Users\\Admin\\zkAQAMcc\\dIgkkUYE.exe" dIgkkUYE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rqsMQkMc.exe = "C:\\ProgramData\\juQAMMEY\\rqsMQkMc.exe" rqsMQkMc.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell32.dll.exe dIgkkUYE.exe File created C:\Windows\SysWOW64\shell32.dll.exe dIgkkUYE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry key 1 TTPs 64 IoCs
pid Process 512 reg.exe 928 reg.exe 620 reg.exe 1348 Process not Found 2544 reg.exe 532 reg.exe 2328 reg.exe 4916 reg.exe 4508 reg.exe 3620 reg.exe 1720 reg.exe 3500 Process not Found 2776 reg.exe 2508 reg.exe 3812 reg.exe 1952 reg.exe 2776 reg.exe 4844 reg.exe 2296 reg.exe 1816 reg.exe 3600 Process not Found 4344 Process not Found 2592 reg.exe 2372 reg.exe 1648 reg.exe 2212 reg.exe 2508 reg.exe 3988 Process not Found 4636 Process not Found 4924 reg.exe 2024 reg.exe 4900 reg.exe 2212 reg.exe 3080 reg.exe 5064 reg.exe 1588 reg.exe 2180 reg.exe 2020 reg.exe 2436 reg.exe 4972 reg.exe 996 reg.exe 3464 reg.exe 4336 reg.exe 3620 reg.exe 3620 reg.exe 2372 reg.exe 440 reg.exe 1232 reg.exe 324 reg.exe 4848 reg.exe 1328 Process not Found 3496 reg.exe 3892 reg.exe 2616 reg.exe 3244 reg.exe 3600 reg.exe 452 reg.exe 4980 Process not Found 2260 reg.exe 2244 Process not Found 2180 reg.exe 1728 reg.exe 3464 reg.exe 4940 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3892 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3892 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3892 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3892 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4496 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4496 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4496 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4496 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2296 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2296 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2296 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2296 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 968 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 968 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 968 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 968 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4452 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4452 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4452 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4452 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1208 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1208 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1208 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1208 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3620 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3620 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3620 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3620 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 808 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 808 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 808 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 808 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4844 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4844 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4844 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4844 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3256 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3256 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3256 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3256 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2176 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2176 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2176 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2176 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1648 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1648 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1648 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1648 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4008 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4008 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4008 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4008 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe 1872 dIgkkUYE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 1872 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 86 PID 5032 wrote to memory of 1872 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 86 PID 5032 wrote to memory of 1872 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 86 PID 5032 wrote to memory of 2064 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 88 PID 5032 wrote to memory of 2064 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 88 PID 5032 wrote to memory of 2064 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 88 PID 5032 wrote to memory of 3864 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 90 PID 5032 wrote to memory of 3864 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 90 PID 5032 wrote to memory of 3864 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 90 PID 5032 wrote to memory of 4496 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 94 PID 5032 wrote to memory of 4496 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 94 PID 5032 wrote to memory of 4496 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 94 PID 5032 wrote to memory of 4848 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 95 PID 5032 wrote to memory of 4848 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 95 PID 5032 wrote to memory of 4848 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 95 PID 5032 wrote to memory of 4880 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 96 PID 5032 wrote to memory of 4880 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 96 PID 5032 wrote to memory of 4880 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 96 PID 5032 wrote to memory of 4164 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 97 PID 5032 wrote to memory of 4164 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 97 PID 5032 wrote to memory of 4164 5032 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 97 PID 3864 wrote to memory of 4764 3864 cmd.exe 102 PID 3864 wrote to memory of 4764 3864 cmd.exe 102 PID 3864 wrote to memory of 4764 3864 cmd.exe 102 PID 3696 wrote to memory of 2644 3696 cmd.exe 103 PID 3696 wrote to memory of 2644 3696 cmd.exe 103 PID 3696 wrote to memory of 2644 3696 cmd.exe 103 PID 1772 wrote to memory of 2304 1772 cmd.exe 104 PID 1772 wrote to memory of 2304 1772 cmd.exe 104 PID 1772 wrote to memory of 2304 1772 cmd.exe 104 PID 4164 wrote to memory of 1804 4164 cmd.exe 105 PID 4164 wrote to memory of 1804 4164 cmd.exe 105 PID 4164 wrote to memory of 1804 4164 cmd.exe 105 PID 4764 wrote to memory of 2600 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 106 PID 4764 wrote to memory of 2600 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 106 PID 4764 wrote to memory of 2600 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 106 PID 4764 wrote to memory of 2508 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 108 PID 4764 wrote to memory of 2508 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 108 PID 4764 wrote to memory of 2508 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 108 PID 4764 wrote to memory of 512 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 109 PID 4764 wrote to memory of 512 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 109 PID 4764 wrote to memory of 512 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 109 PID 4764 wrote to memory of 2744 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 110 PID 4764 wrote to memory of 2744 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 110 PID 4764 wrote to memory of 2744 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 110 PID 4764 wrote to memory of 4528 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 111 PID 4764 wrote to memory of 4528 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 111 PID 4764 wrote to memory of 4528 4764 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 111 PID 2600 wrote to memory of 4756 2600 cmd.exe 116 PID 2600 wrote to memory of 4756 2600 cmd.exe 116 PID 2600 wrote to memory of 4756 2600 cmd.exe 116 PID 4528 wrote to memory of 2668 4528 cmd.exe 117 PID 4528 wrote to memory of 2668 4528 cmd.exe 117 PID 4528 wrote to memory of 2668 4528 cmd.exe 117 PID 4756 wrote to memory of 4356 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 119 PID 4756 wrote to memory of 4356 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 119 PID 4756 wrote to memory of 4356 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 119 PID 4756 wrote to memory of 2592 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 121 PID 4756 wrote to memory of 2592 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 121 PID 4756 wrote to memory of 2592 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 121 PID 4756 wrote to memory of 2996 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 122 PID 4756 wrote to memory of 2996 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 122 PID 4756 wrote to memory of 2996 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 122 PID 4756 wrote to memory of 2412 4756 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe"C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:1872
-
-
C:\ProgramData\juQAMMEY\rqsMQkMc.exe"C:\ProgramData\juQAMMEY\rqsMQkMc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"6⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"8⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"10⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"12⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"14⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"16⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"18⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"20⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"22⤵
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"24⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"26⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"28⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"30⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"32⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock33⤵PID:3812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"34⤵PID:1076
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock35⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"36⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock37⤵PID:2996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"38⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock39⤵PID:3780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"40⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock41⤵PID:4520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"42⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock43⤵PID:3816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"44⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock45⤵PID:2416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"46⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock47⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"48⤵PID:1088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:3256
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock49⤵PID:2312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"50⤵PID:4756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:4080
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock51⤵PID:3496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"52⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock53⤵PID:4680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"54⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock55⤵PID:3464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"56⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock57⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"58⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock59⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"60⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock61⤵
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"62⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock63⤵PID:3824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"64⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock65⤵PID:468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"66⤵PID:2824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:3780
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock67⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"68⤵PID:1076
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock69⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"70⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock71⤵PID:1564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"72⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock73⤵PID:3772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"74⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock75⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"76⤵PID:3156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock77⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"78⤵PID:1084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock79⤵PID:4020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"80⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock81⤵PID:4676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"82⤵PID:1112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:1348
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock83⤵PID:4344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"84⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock85⤵PID:2996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"86⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock87⤵PID:780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"88⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock89⤵PID:436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"90⤵
- System Location Discovery: System Language Discovery
PID:468 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:3620
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock91⤵
- System Location Discovery: System Language Discovery
PID:812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"92⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock93⤵
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"94⤵PID:4916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:3816
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock95⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"96⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock97⤵PID:1436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"98⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock99⤵PID:1884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"100⤵PID:5080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock101⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"102⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock103⤵PID:996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"104⤵PID:4448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:3156
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock105⤵PID:4660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"106⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock107⤵PID:3256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"108⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock109⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"110⤵PID:3564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:4916
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock111⤵PID:4684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"112⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock113⤵PID:5028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"114⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock115⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"116⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock117⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"118⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock119⤵PID:916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"120⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock121⤵PID:1308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"122⤵PID:4676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-