Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/05/2025, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe
Resource
win11-20250502-en
General
-
Target
2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe
-
Size
220KB
-
MD5
b1d41c804f79a9153d4fe8c6e8be4ece
-
SHA1
4292aec076397c0b1908c2c41d148159430e5ec3
-
SHA256
75c78679e60d2553a5cfd1bb4ec9683bdbe43b4b343e5d4aa0eac8050cbcf882
-
SHA512
68a7a93da96d91147c80715bac2d848ee3b322a24d574d156ca67a6bbf97053f32e5087a68e766eda5e72beb7e11ccf66e378df8d7cc9ee3cf3191144f4cd6f0
-
SSDEEP
3072:Eby7RPR7AoCwwMC5CXAc+rkoa8N2TYwQkEAgjp9SnTAysZjCcYozbcAcY:sytCoxwMC55mEAnQkGSTAy0j7Y8Tr
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 4 IoCs
pid Process 888 ZSksQgsA.exe 3248 yuwQEogk.exe 5000 yuwQEogk.exe 5036 ZSksQgsA.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuwQEogk.exe = "C:\\ProgramData\\VIMooogQ\\yuwQEogk.exe" yuwQEogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuwQEogk.exe = "C:\\ProgramData\\VIMooogQ\\yuwQEogk.exe" yuwQEogk.exe Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZSksQgsA.exe = "C:\\Users\\Admin\\zwwEcEQs\\ZSksQgsA.exe" ZSksQgsA.exe Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZSksQgsA.exe = "C:\\Users\\Admin\\zwwEcEQs\\ZSksQgsA.exe" 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuwQEogk.exe = "C:\\ProgramData\\VIMooogQ\\yuwQEogk.exe" 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZSksQgsA.exe = "C:\\Users\\Admin\\zwwEcEQs\\ZSksQgsA.exe" ZSksQgsA.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe ZSksQgsA.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe ZSksQgsA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yuwQEogk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 5076 reg.exe 4908 reg.exe 5372 reg.exe 1116 reg.exe 5152 reg.exe 5876 reg.exe 460 reg.exe 4992 reg.exe 1640 reg.exe 5140 reg.exe 4448 reg.exe 2792 reg.exe 5300 reg.exe 5152 Process not Found 1480 reg.exe 464 reg.exe 2100 reg.exe 864 reg.exe 5004 reg.exe 3204 Process not Found 4836 reg.exe 4652 reg.exe 5228 Process not Found 5636 reg.exe 3496 reg.exe 3840 Process not Found 5988 reg.exe 3396 reg.exe 5980 reg.exe 2072 reg.exe 2936 reg.exe 1556 reg.exe 2644 reg.exe 388 reg.exe 1520 reg.exe 4984 reg.exe 2240 Process not Found 3888 Process not Found 4756 reg.exe 2124 reg.exe 5336 reg.exe 5808 reg.exe 5180 Process not Found 1416 Process not Found 3728 Process not Found 4568 Process not Found 5440 reg.exe 4564 reg.exe 6132 reg.exe 4576 reg.exe 5644 Process not Found 4636 reg.exe 5668 reg.exe 4700 reg.exe 4508 reg.exe 4996 reg.exe 2548 Process not Found 4380 Process not Found 2616 reg.exe 3736 reg.exe 1140 Process not Found 4976 Process not Found 4612 reg.exe 2240 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4564 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4564 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4564 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4564 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2748 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2748 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2748 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2748 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1712 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1712 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1712 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1712 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 936 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 936 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 936 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 936 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 832 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 832 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 832 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 832 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2444 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2444 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2444 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2444 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1828 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1828 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1828 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1828 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4936 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4936 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4936 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4936 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2060 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2060 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2060 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2060 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2308 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2308 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2308 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 2308 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4560 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4560 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4560 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 4560 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1384 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1384 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1384 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 1384 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 6048 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 6048 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 6048 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 6048 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe 888 ZSksQgsA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5340 wrote to memory of 888 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 78 PID 5340 wrote to memory of 888 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 78 PID 5340 wrote to memory of 888 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 78 PID 5340 wrote to memory of 3248 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 80 PID 5340 wrote to memory of 3248 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 80 PID 5340 wrote to memory of 3248 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 80 PID 5340 wrote to memory of 464 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 82 PID 5340 wrote to memory of 464 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 82 PID 5340 wrote to memory of 464 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 82 PID 5340 wrote to memory of 760 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 86 PID 5340 wrote to memory of 760 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 86 PID 5340 wrote to memory of 760 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 86 PID 5340 wrote to memory of 6136 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 87 PID 5340 wrote to memory of 6136 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 87 PID 5340 wrote to memory of 6136 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 87 PID 5340 wrote to memory of 4716 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 88 PID 5340 wrote to memory of 4716 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 88 PID 5340 wrote to memory of 4716 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 88 PID 5340 wrote to memory of 4580 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 89 PID 5340 wrote to memory of 4580 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 89 PID 5340 wrote to memory of 4580 5340 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 89 PID 464 wrote to memory of 5848 464 cmd.exe 94 PID 464 wrote to memory of 5848 464 cmd.exe 94 PID 464 wrote to memory of 5848 464 cmd.exe 94 PID 2388 wrote to memory of 5000 2388 cmd.exe 95 PID 2388 wrote to memory of 5000 2388 cmd.exe 95 PID 2388 wrote to memory of 5000 2388 cmd.exe 95 PID 5768 wrote to memory of 5036 5768 cmd.exe 96 PID 5768 wrote to memory of 5036 5768 cmd.exe 96 PID 5768 wrote to memory of 5036 5768 cmd.exe 96 PID 4580 wrote to memory of 5028 4580 cmd.exe 97 PID 4580 wrote to memory of 5028 4580 cmd.exe 97 PID 4580 wrote to memory of 5028 4580 cmd.exe 97 PID 5848 wrote to memory of 4476 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 98 PID 5848 wrote to memory of 4476 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 98 PID 5848 wrote to memory of 4476 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 98 PID 4476 wrote to memory of 4956 4476 cmd.exe 100 PID 4476 wrote to memory of 4956 4476 cmd.exe 100 PID 4476 wrote to memory of 4956 4476 cmd.exe 100 PID 5848 wrote to memory of 3212 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 101 PID 5848 wrote to memory of 3212 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 101 PID 5848 wrote to memory of 3212 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 101 PID 5848 wrote to memory of 2644 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 102 PID 5848 wrote to memory of 2644 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 102 PID 5848 wrote to memory of 2644 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 102 PID 5848 wrote to memory of 6124 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 103 PID 5848 wrote to memory of 6124 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 103 PID 5848 wrote to memory of 6124 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 103 PID 5848 wrote to memory of 2824 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 104 PID 5848 wrote to memory of 2824 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 104 PID 5848 wrote to memory of 2824 5848 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 104 PID 4956 wrote to memory of 4700 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 109 PID 4956 wrote to memory of 4700 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 109 PID 4956 wrote to memory of 4700 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 109 PID 2824 wrote to memory of 3936 2824 cmd.exe 111 PID 2824 wrote to memory of 3936 2824 cmd.exe 111 PID 2824 wrote to memory of 3936 2824 cmd.exe 111 PID 4700 wrote to memory of 4564 4700 cmd.exe 112 PID 4700 wrote to memory of 4564 4700 cmd.exe 112 PID 4700 wrote to memory of 4564 4700 cmd.exe 112 PID 4956 wrote to memory of 3772 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 113 PID 4956 wrote to memory of 3772 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 113 PID 4956 wrote to memory of 3772 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 113 PID 4956 wrote to memory of 1840 4956 2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5340 -
C:\Users\Admin\zwwEcEQs\ZSksQgsA.exe"C:\Users\Admin\zwwEcEQs\ZSksQgsA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:888
-
-
C:\ProgramData\VIMooogQ\yuwQEogk.exe"C:\ProgramData\VIMooogQ\yuwQEogk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"8⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"10⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"12⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"14⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock15⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"16⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"18⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"20⤵
- System Location Discovery: System Language Discovery
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"22⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"24⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"26⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"28⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"30⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:6048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"32⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock33⤵PID:3440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"34⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock35⤵PID:4256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"36⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock37⤵PID:1828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"38⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock39⤵PID:404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"40⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock41⤵PID:2060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"42⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock43⤵PID:5328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"44⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock45⤵PID:4148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"46⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock47⤵PID:3712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"48⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock49⤵PID:3932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"50⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock51⤵PID:1984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"52⤵PID:5880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock53⤵PID:3604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"54⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock55⤵
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"56⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock57⤵PID:4636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"58⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock59⤵PID:1956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"60⤵PID:1668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock61⤵PID:6072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"62⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock63⤵PID:3400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"64⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock65⤵PID:2352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"66⤵
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock67⤵PID:5716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"68⤵PID:1556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock69⤵PID:5200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"70⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock71⤵PID:6056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"72⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock73⤵PID:4756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"74⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock75⤵PID:3584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"76⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock77⤵PID:1828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"78⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock79⤵PID:5896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"80⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock81⤵PID:5524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"82⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock83⤵PID:828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"84⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock85⤵PID:2544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"86⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock87⤵PID:3616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"88⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock89⤵PID:4744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"90⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock91⤵PID:4928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"92⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock93⤵PID:3252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"94⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock95⤵PID:5140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"96⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock97⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"98⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock99⤵PID:5276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"100⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock101⤵PID:5180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"102⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock103⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"104⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock105⤵PID:2992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"106⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock107⤵PID:3616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"108⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock109⤵PID:3036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"110⤵PID:6056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:4720
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock111⤵
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"112⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock113⤵
- System Location Discovery: System Language Discovery
PID:3252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"114⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock115⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"116⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock117⤵PID:1920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"118⤵
- System Location Discovery: System Language Discovery
PID:5420 -
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock119⤵PID:2112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"120⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock121⤵PID:6128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b1d41c804f79a9153d4fe8c6e8be4ece_elex_virlock"122⤵PID:4080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-