Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/05/2025, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
-
Size
788KB
-
MD5
68c6ceb7c90e70cce7782001a3b7a488
-
SHA1
3fa92a19d64bf04da4fc6c8d247304957677d285
-
SHA256
982b7174957c0375d66d2ba68c5698bf0852110def13aa2889a6caa68563e55a
-
SHA512
614860b8c710d4094e7c1c1cbb6ad70fccfbf96b6bdb466957afc14eb250609e068321e464e68a3cd750b8c9eebf8c9a44a30b38ce6859523921279d8e9db1df
-
SSDEEP
3072:zDueoOjqr4Z6m6LwRYqX+Hjj9iYK23PmiCKkX+Ln/2+yKjIFZ:Weox9JLwRDX+Hjj9i12uiCKV/2+ymw
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 4 IoCs
pid Process 2692 SUkwwkgY.exe 4920 YIkQQMgc.exe 1980 YIkQQMgc.exe 4360 SUkwwkgY.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUkwwkgY.exe = "C:\\Users\\Admin\\UQkUIgkQ\\SUkwwkgY.exe" SUkwwkgY.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUkwwkgY.exe = "C:\\Users\\Admin\\UQkUIgkQ\\SUkwwkgY.exe" 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YIkQQMgc.exe = "C:\\ProgramData\\wQUogYMc\\YIkQQMgc.exe" 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUkwwkgY.exe = "C:\\Users\\Admin\\UQkUIgkQ\\SUkwwkgY.exe" SUkwwkgY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YIkQQMgc.exe = "C:\\ProgramData\\wQUogYMc\\YIkQQMgc.exe" YIkQQMgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YIkQQMgc.exe = "C:\\ProgramData\\wQUogYMc\\YIkQQMgc.exe" YIkQQMgc.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe SUkwwkgY.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe SUkwwkgY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YIkQQMgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 5704 reg.exe 1124 reg.exe 4880 reg.exe 3712 reg.exe 5580 reg.exe 548 reg.exe 5160 Process not Found 1956 reg.exe 4608 reg.exe 4112 reg.exe 3812 reg.exe 2756 Process not Found 5020 reg.exe 5688 reg.exe 2352 reg.exe 1660 Process not Found 5024 reg.exe 2312 reg.exe 2312 reg.exe 6060 reg.exe 248 reg.exe 4652 reg.exe 2668 reg.exe 5792 reg.exe 1760 reg.exe 4132 Process not Found 3736 Process not Found 988 reg.exe 5388 reg.exe 1692 reg.exe 3996 Process not Found 2204 reg.exe 4640 reg.exe 4444 reg.exe 3140 reg.exe 1964 reg.exe 5184 reg.exe 5308 reg.exe 3632 reg.exe 2068 reg.exe 4580 reg.exe 1912 reg.exe 5212 reg.exe 1120 reg.exe 5772 reg.exe 6136 reg.exe 1692 reg.exe 3052 reg.exe 1432 reg.exe 828 reg.exe 1052 reg.exe 4108 reg.exe 940 reg.exe 2572 reg.exe 5524 reg.exe 1916 reg.exe 2992 reg.exe 2504 Process not Found 4808 Process not Found 2108 reg.exe 920 reg.exe 416 reg.exe 1824 reg.exe 5376 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3424 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3424 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3424 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3424 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 232 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 232 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 232 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 232 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4044 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4044 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4044 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4044 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2848 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2848 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2848 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2848 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 664 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 664 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 664 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 664 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2192 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2192 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2192 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2192 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3424 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3424 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3424 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3424 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1140 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1140 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1140 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1140 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3896 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3896 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3896 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3896 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5752 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5752 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5752 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5752 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe 2692 SUkwwkgY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 2692 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 82 PID 4860 wrote to memory of 2692 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 82 PID 4860 wrote to memory of 2692 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 82 PID 4860 wrote to memory of 4920 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 85 PID 4860 wrote to memory of 4920 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 85 PID 4860 wrote to memory of 4920 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 85 PID 4860 wrote to memory of 3036 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 87 PID 4860 wrote to memory of 3036 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 87 PID 4860 wrote to memory of 3036 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 87 PID 4860 wrote to memory of 5012 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 90 PID 4860 wrote to memory of 5012 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 90 PID 4860 wrote to memory of 5012 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 90 PID 4860 wrote to memory of 5020 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 91 PID 4860 wrote to memory of 5020 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 91 PID 4860 wrote to memory of 5020 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 91 PID 4860 wrote to memory of 5028 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 92 PID 4860 wrote to memory of 5028 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 92 PID 4860 wrote to memory of 5028 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 92 PID 4860 wrote to memory of 4984 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 93 PID 4860 wrote to memory of 4984 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 93 PID 4860 wrote to memory of 4984 4860 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 93 PID 3036 wrote to memory of 5096 3036 cmd.exe 95 PID 3036 wrote to memory of 5096 3036 cmd.exe 95 PID 3036 wrote to memory of 5096 3036 cmd.exe 95 PID 4984 wrote to memory of 4924 4984 cmd.exe 100 PID 4984 wrote to memory of 4924 4984 cmd.exe 100 PID 4984 wrote to memory of 4924 4984 cmd.exe 100 PID 3524 wrote to memory of 1980 3524 cmd.exe 99 PID 3524 wrote to memory of 1980 3524 cmd.exe 99 PID 3524 wrote to memory of 1980 3524 cmd.exe 99 PID 3620 wrote to memory of 4360 3620 cmd.exe 101 PID 3620 wrote to memory of 4360 3620 cmd.exe 101 PID 3620 wrote to memory of 4360 3620 cmd.exe 101 PID 5096 wrote to memory of 2364 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 102 PID 5096 wrote to memory of 2364 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 102 PID 5096 wrote to memory of 2364 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 102 PID 2364 wrote to memory of 4004 2364 cmd.exe 104 PID 2364 wrote to memory of 4004 2364 cmd.exe 104 PID 2364 wrote to memory of 4004 2364 cmd.exe 104 PID 5096 wrote to memory of 4568 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 105 PID 5096 wrote to memory of 4568 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 105 PID 5096 wrote to memory of 4568 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 105 PID 5096 wrote to memory of 2224 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 106 PID 5096 wrote to memory of 2224 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 106 PID 5096 wrote to memory of 2224 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 106 PID 5096 wrote to memory of 4744 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 107 PID 5096 wrote to memory of 4744 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 107 PID 5096 wrote to memory of 4744 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 107 PID 5096 wrote to memory of 3724 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 108 PID 5096 wrote to memory of 3724 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 108 PID 5096 wrote to memory of 3724 5096 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 108 PID 3724 wrote to memory of 3980 3724 cmd.exe 113 PID 3724 wrote to memory of 3980 3724 cmd.exe 113 PID 3724 wrote to memory of 3980 3724 cmd.exe 113 PID 4004 wrote to memory of 3188 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 114 PID 4004 wrote to memory of 3188 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 114 PID 4004 wrote to memory of 3188 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 114 PID 3188 wrote to memory of 3424 3188 cmd.exe 116 PID 3188 wrote to memory of 3424 3188 cmd.exe 116 PID 3188 wrote to memory of 3424 3188 cmd.exe 116 PID 4004 wrote to memory of 1964 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 118 PID 4004 wrote to memory of 1964 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 118 PID 4004 wrote to memory of 1964 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 118 PID 4004 wrote to memory of 5204 4004 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe"C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:2692
-
-
C:\ProgramData\wQUogYMc\YIkQQMgc.exe"C:\ProgramData\wQUogYMc\YIkQQMgc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"8⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"10⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"12⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"14⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"16⤵PID:5504
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"18⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"20⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"22⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"24⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"26⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"28⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:5752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"30⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"32⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock33⤵PID:4992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"34⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock35⤵PID:2028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"36⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock37⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"38⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock39⤵PID:3972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"40⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock41⤵PID:2128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"42⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock43⤵PID:1376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"44⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock45⤵PID:3796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"46⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock47⤵PID:2840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"48⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock49⤵PID:5020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"50⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock51⤵PID:6056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"52⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock53⤵PID:644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"54⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock55⤵PID:4776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"56⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock57⤵PID:6132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"58⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock59⤵PID:2052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"60⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock61⤵PID:4740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"62⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock63⤵PID:4752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"64⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock65⤵
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"66⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock67⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"68⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock69⤵PID:4616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"70⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock71⤵PID:392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"72⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock73⤵PID:5856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"74⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock75⤵PID:1140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"76⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock77⤵PID:5784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"78⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock79⤵PID:4740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"80⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock81⤵PID:228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"82⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock83⤵PID:2496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"84⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock85⤵PID:4572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"86⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock87⤵PID:4980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"88⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock89⤵PID:532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"90⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock91⤵PID:2624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"92⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock93⤵PID:6132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"94⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock95⤵PID:4784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"96⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock97⤵PID:4740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"98⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock99⤵PID:3012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"100⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock101⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"102⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock103⤵PID:4572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"104⤵PID:5124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock105⤵PID:2068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"106⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock107⤵PID:796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"108⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock109⤵PID:1152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"110⤵PID:396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock111⤵PID:824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"112⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock113⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"114⤵
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock115⤵PID:4656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"116⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock117⤵PID:2484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"118⤵PID:352
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock119⤵PID:4528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"120⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock121⤵PID:5228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"122⤵PID:3744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-