Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 07:10
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
-
Size
788KB
-
MD5
68c6ceb7c90e70cce7782001a3b7a488
-
SHA1
3fa92a19d64bf04da4fc6c8d247304957677d285
-
SHA256
982b7174957c0375d66d2ba68c5698bf0852110def13aa2889a6caa68563e55a
-
SHA512
614860b8c710d4094e7c1c1cbb6ad70fccfbf96b6bdb466957afc14eb250609e068321e464e68a3cd750b8c9eebf8c9a44a30b38ce6859523921279d8e9db1df
-
SSDEEP
3072:zDueoOjqr4Z6m6LwRYqX+Hjj9iYK23PmiCKkX+Ln/2+yKjIFZ:Weox9JLwRDX+Hjj9i12uiCKV/2+ymw
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation iooIkMUQ.exe -
Executes dropped EXE 4 IoCs
pid Process 224 wAEgYMso.exe 2360 iooIkMUQ.exe 5080 wAEgYMso.exe 4608 iooIkMUQ.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iooIkMUQ.exe = "C:\\ProgramData\\QegYUEAc\\iooIkMUQ.exe" iooIkMUQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wAEgYMso.exe = "C:\\Users\\Admin\\RUUEsQEw\\wAEgYMso.exe" wAEgYMso.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wAEgYMso.exe = "C:\\Users\\Admin\\RUUEsQEw\\wAEgYMso.exe" wAEgYMso.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iooIkMUQ.exe = "C:\\ProgramData\\QegYUEAc\\iooIkMUQ.exe" iooIkMUQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oQEwsUkw.exe = "C:\\Users\\Admin\\dukEgMAk\\oQEwsUkw.exe" 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WOMwMEMs.exe = "C:\\ProgramData\\scYsoIYk\\WOMwMEMs.exe" 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wAEgYMso.exe = "C:\\Users\\Admin\\RUUEsQEw\\wAEgYMso.exe" 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iooIkMUQ.exe = "C:\\ProgramData\\QegYUEAc\\iooIkMUQ.exe" 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe iooIkMUQ.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe iooIkMUQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 3044 4940 WerFault.exe 793 5416 2072 WerFault.exe 790 5740 1820 WerFault.exe 811 1868 1044 WerFault.exe 814 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3848 reg.exe 1876 reg.exe 5764 reg.exe 3396 reg.exe 3892 reg.exe 960 reg.exe 1620 Process not Found 5896 reg.exe 376 reg.exe 2560 reg.exe 4356 reg.exe 5000 Process not Found 2568 Process not Found 5596 reg.exe 1324 reg.exe 2964 Process not Found 1568 reg.exe 2912 reg.exe 4660 reg.exe 2344 Process not Found 5460 Process not Found 1320 reg.exe 4144 reg.exe 208 Process not Found 2004 reg.exe 5796 reg.exe 2996 reg.exe 4060 reg.exe 1896 reg.exe 3940 reg.exe 3496 reg.exe 4560 reg.exe 1092 reg.exe 3048 reg.exe 4360 Process not Found 3112 Process not Found 4856 reg.exe 2960 reg.exe 4512 reg.exe 5496 reg.exe 2912 reg.exe 5496 Process not Found 3544 reg.exe 1168 reg.exe 4468 reg.exe 4896 reg.exe 3932 Process not Found 5404 reg.exe 4820 reg.exe 5356 Process not Found 5984 reg.exe 1508 reg.exe 448 reg.exe 404 reg.exe 4008 reg.exe 2888 reg.exe 3804 reg.exe 1708 reg.exe 1368 reg.exe 2012 reg.exe 5028 reg.exe 4584 reg.exe 2652 reg.exe 3380 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 700 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 700 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 700 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 700 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 3876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2104 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2104 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2104 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2104 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4064 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4064 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4064 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4064 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1596 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1596 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1596 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1596 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4876 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2220 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2220 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2220 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2220 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 2472 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4500 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4500 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4500 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 4500 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 404 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 404 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 404 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 404 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1200 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1200 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1200 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 1200 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe 2360 iooIkMUQ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5248 wrote to memory of 224 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 86 PID 5248 wrote to memory of 224 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 86 PID 5248 wrote to memory of 224 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 86 PID 5248 wrote to memory of 2360 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 88 PID 5248 wrote to memory of 2360 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 88 PID 5248 wrote to memory of 2360 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 88 PID 5248 wrote to memory of 6000 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 90 PID 5248 wrote to memory of 6000 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 90 PID 5248 wrote to memory of 6000 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 90 PID 5248 wrote to memory of 6016 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 94 PID 5248 wrote to memory of 6016 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 94 PID 5248 wrote to memory of 6016 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 94 PID 5248 wrote to memory of 2036 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 95 PID 5248 wrote to memory of 2036 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 95 PID 5248 wrote to memory of 2036 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 95 PID 5248 wrote to memory of 2652 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 96 PID 5248 wrote to memory of 2652 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 96 PID 5248 wrote to memory of 2652 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 96 PID 5248 wrote to memory of 4224 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 97 PID 5248 wrote to memory of 4224 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 97 PID 5248 wrote to memory of 4224 5248 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 97 PID 6000 wrote to memory of 5408 6000 cmd.exe 102 PID 6000 wrote to memory of 5408 6000 cmd.exe 102 PID 6000 wrote to memory of 5408 6000 cmd.exe 102 PID 5360 wrote to memory of 5080 5360 cmd.exe 103 PID 5360 wrote to memory of 5080 5360 cmd.exe 103 PID 5360 wrote to memory of 5080 5360 cmd.exe 103 PID 5408 wrote to memory of 4532 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 104 PID 5408 wrote to memory of 4532 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 104 PID 5408 wrote to memory of 4532 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 104 PID 2292 wrote to memory of 4608 2292 cmd.exe 106 PID 2292 wrote to memory of 4608 2292 cmd.exe 106 PID 2292 wrote to memory of 4608 2292 cmd.exe 106 PID 4224 wrote to memory of 4732 4224 cmd.exe 107 PID 4224 wrote to memory of 4732 4224 cmd.exe 107 PID 4224 wrote to memory of 4732 4224 cmd.exe 107 PID 5408 wrote to memory of 4748 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 108 PID 5408 wrote to memory of 4748 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 108 PID 5408 wrote to memory of 4748 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 108 PID 5408 wrote to memory of 4720 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 109 PID 5408 wrote to memory of 4720 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 109 PID 5408 wrote to memory of 4720 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 109 PID 5408 wrote to memory of 4836 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 110 PID 5408 wrote to memory of 4836 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 110 PID 5408 wrote to memory of 4836 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 110 PID 5408 wrote to memory of 4852 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 111 PID 5408 wrote to memory of 4852 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 111 PID 5408 wrote to memory of 4852 5408 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 111 PID 4532 wrote to memory of 5656 4532 cmd.exe 116 PID 4532 wrote to memory of 5656 4532 cmd.exe 116 PID 4532 wrote to memory of 5656 4532 cmd.exe 116 PID 4852 wrote to memory of 4776 4852 cmd.exe 117 PID 4852 wrote to memory of 4776 4852 cmd.exe 117 PID 4852 wrote to memory of 4776 4852 cmd.exe 117 PID 5656 wrote to memory of 3016 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 119 PID 5656 wrote to memory of 3016 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 119 PID 5656 wrote to memory of 3016 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 119 PID 5656 wrote to memory of 5980 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 121 PID 5656 wrote to memory of 5980 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 121 PID 5656 wrote to memory of 5980 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 121 PID 5656 wrote to memory of 3120 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 122 PID 5656 wrote to memory of 3120 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 122 PID 5656 wrote to memory of 3120 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 122 PID 5656 wrote to memory of 2772 5656 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5248 -
C:\Users\Admin\RUUEsQEw\wAEgYMso.exe"C:\Users\Admin\RUUEsQEw\wAEgYMso.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:224
-
-
C:\ProgramData\QegYUEAc\iooIkMUQ.exe"C:\ProgramData\QegYUEAc\iooIkMUQ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:2360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:6000 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"6⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"8⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"10⤵
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"12⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock13⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"14⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"16⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"18⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"20⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"22⤵PID:5468
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"24⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"26⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"28⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"30⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"32⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock33⤵PID:2584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"34⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock35⤵PID:6044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"36⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock37⤵PID:588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"38⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock39⤵PID:2472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"40⤵PID:4660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵PID:5900
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock41⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"42⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock43⤵PID:2484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"44⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock45⤵PID:4328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"46⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock47⤵PID:3260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"48⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock49⤵PID:5896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"50⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock51⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"52⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock53⤵PID:5984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"54⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock55⤵PID:4604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"56⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock57⤵PID:4896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"58⤵PID:5916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV159⤵PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock59⤵
- System Location Discovery: System Language Discovery
PID:3776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"60⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock61⤵PID:4236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"62⤵PID:3932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:5896
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock63⤵PID:912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"64⤵PID:5072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:1292
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock65⤵PID:5644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"66⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock67⤵PID:1128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"68⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock69⤵PID:2848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"70⤵PID:3396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:4896
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock71⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"72⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock73⤵PID:5404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"74⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock75⤵PID:1396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"76⤵PID:3976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock77⤵PID:5260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"78⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock79⤵PID:5596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"80⤵PID:4580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:4604
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock81⤵PID:3840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"82⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock83⤵PID:404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"84⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock85⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"86⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock87⤵PID:3864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"88⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock89⤵PID:2184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"90⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock91⤵PID:3644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"92⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock93⤵PID:4756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"94⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock95⤵PID:1492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"96⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock97⤵PID:5460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"98⤵PID:5664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock99⤵
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"100⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock101⤵PID:4060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"102⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock103⤵PID:4572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"104⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock105⤵PID:1392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"106⤵PID:3356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:5208
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock107⤵PID:4524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"108⤵PID:5852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:4748
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock109⤵PID:3716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"110⤵PID:4116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock111⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"112⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock113⤵PID:4084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"114⤵PID:2104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock115⤵
- Adds Run key to start application
PID:4276 -
C:\Users\Admin\dukEgMAk\oQEwsUkw.exe"C:\Users\Admin\dukEgMAk\oQEwsUkw.exe"116⤵PID:2072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 228117⤵
- Program crash
PID:5416
-
-
-
C:\ProgramData\scYsoIYk\WOMwMEMs.exe"C:\ProgramData\scYsoIYk\WOMwMEMs.exe"116⤵PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 224117⤵
- Program crash
PID:3044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"116⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock117⤵PID:1392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"118⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock119⤵PID:2680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"120⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock121⤵PID:2772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"122⤵PID:3352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-