Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/05/2025, 10:35
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
Resource
win11-20250502-en
General
-
Target
2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
-
Size
181KB
-
MD5
f8bf3340ea587acc2f96c24372f29edf
-
SHA1
3ace4837343f21c73e38517b8e44f6010450fc53
-
SHA256
4e570261798b1f8ea4b1793efd7f4b0fb5a109a99a1dd2bc2dd5859e46df4968
-
SHA512
36d59f407063822b8c8f5216d3abf8d835c0ed885c446844223e561333c450445b448c3d19a6612979bf7f1e88aaef7fe50f2193360ceb334c93dbc70c74551d
-
SSDEEP
3072:SiSl8WNKYkMqLwwl5XBZ6Sz1Jq3CgRkiGgmWL3v6HkrkKfPn7JBDwk4k5OXgSe19:SiqNCtBFz1o9RkiGgmWL3v9kKfDJaole
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
UAC bypass 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (90) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 4 IoCs
pid Process 1928 wWwsUwcg.exe 1708 dKggoIYI.exe 5000 wWwsUwcg.exe 4828 dKggoIYI.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\zkkswMkg.exe = "C:\\Users\\Admin\\yWYsIkgI\\zkkswMkg.exe" 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gWMMgUYM.exe = "C:\\ProgramData\\lKoQsgQU\\gWMMgUYM.exe" 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWwsUwcg.exe = "C:\\Users\\Admin\\sussEYcg\\wWwsUwcg.exe" 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKggoIYI.exe = "C:\\ProgramData\\GWMUswwQ\\dKggoIYI.exe" 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWwsUwcg.exe = "C:\\Users\\Admin\\sussEYcg\\wWwsUwcg.exe" wWwsUwcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKggoIYI.exe = "C:\\ProgramData\\GWMUswwQ\\dKggoIYI.exe" dKggoIYI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWwsUwcg.exe = "C:\\Users\\Admin\\sussEYcg\\wWwsUwcg.exe" wWwsUwcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKggoIYI.exe = "C:\\ProgramData\\GWMUswwQ\\dKggoIYI.exe" dKggoIYI.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe wWwsUwcg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 1976 3048 WerFault.exe 1493 5264 1500 WerFault.exe 1490 4092 4272 WerFault.exe 1509 5900 128 WerFault.exe 1512 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3556 reg.exe 5240 Process not Found 5208 reg.exe 5632 reg.exe 5364 reg.exe 5444 Process not Found 4444 reg.exe 5680 reg.exe 5016 reg.exe 5712 reg.exe 1572 reg.exe 3720 reg.exe 1212 reg.exe 1900 reg.exe 5376 reg.exe 2964 reg.exe 6008 reg.exe 3500 reg.exe 776 reg.exe 1776 reg.exe 972 reg.exe 2888 reg.exe 4224 reg.exe 3796 reg.exe 1064 reg.exe 3024 reg.exe 5916 Process not Found 4976 Process not Found 5964 reg.exe 3304 reg.exe 5076 reg.exe 2424 reg.exe 5860 reg.exe 4616 reg.exe 3080 Process not Found 1168 reg.exe 3836 reg.exe 2928 reg.exe 5548 reg.exe 1664 reg.exe 4468 reg.exe 1296 reg.exe 4160 reg.exe 3100 reg.exe 1068 reg.exe 2400 reg.exe 3588 reg.exe 2128 reg.exe 332 reg.exe 4756 Process not Found 5840 Process not Found 4052 reg.exe 6068 reg.exe 5832 reg.exe 3904 reg.exe 1280 reg.exe 5092 reg.exe 1900 reg.exe 1692 Process not Found 5952 Process not Found 5104 Process not Found 4140 reg.exe 240 reg.exe 4812 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2092 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2092 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2092 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2092 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3160 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3160 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3160 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3160 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3024 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3024 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3024 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3024 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5796 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5796 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5796 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5796 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 6052 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 6052 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 6052 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 6052 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5528 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5528 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5528 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5528 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4572 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4572 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4572 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4572 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5076 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5076 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5076 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5076 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2388 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2388 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2388 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2388 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4812 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4812 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4812 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 4812 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2392 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2392 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2392 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 2392 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3260 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3260 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3260 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 3260 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5444 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5444 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5444 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 5444 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe 1928 wWwsUwcg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 1928 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 78 PID 1884 wrote to memory of 1928 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 78 PID 1884 wrote to memory of 1928 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 78 PID 1884 wrote to memory of 1708 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 81 PID 1884 wrote to memory of 1708 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 81 PID 1884 wrote to memory of 1708 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 81 PID 1884 wrote to memory of 1916 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 83 PID 1884 wrote to memory of 1916 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 83 PID 1884 wrote to memory of 1916 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 83 PID 1884 wrote to memory of 4512 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 86 PID 1884 wrote to memory of 4512 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 86 PID 1884 wrote to memory of 4512 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 86 PID 1884 wrote to memory of 2996 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 87 PID 1884 wrote to memory of 2996 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 87 PID 1884 wrote to memory of 2996 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 87 PID 1884 wrote to memory of 4892 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 88 PID 1884 wrote to memory of 4892 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 88 PID 1884 wrote to memory of 4892 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 88 PID 1884 wrote to memory of 6016 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 90 PID 1884 wrote to memory of 6016 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 90 PID 1884 wrote to memory of 6016 1884 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 90 PID 1916 wrote to memory of 5012 1916 cmd.exe 93 PID 1916 wrote to memory of 5012 1916 cmd.exe 93 PID 1916 wrote to memory of 5012 1916 cmd.exe 93 PID 2300 wrote to memory of 5000 2300 cmd.exe 95 PID 2300 wrote to memory of 5000 2300 cmd.exe 95 PID 2300 wrote to memory of 5000 2300 cmd.exe 95 PID 2308 wrote to memory of 4828 2308 cmd.exe 96 PID 2308 wrote to memory of 4828 2308 cmd.exe 96 PID 2308 wrote to memory of 4828 2308 cmd.exe 96 PID 6016 wrote to memory of 5088 6016 cmd.exe 97 PID 6016 wrote to memory of 5088 6016 cmd.exe 97 PID 6016 wrote to memory of 5088 6016 cmd.exe 97 PID 5012 wrote to memory of 4136 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 98 PID 5012 wrote to memory of 4136 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 98 PID 5012 wrote to memory of 4136 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 98 PID 4136 wrote to memory of 4644 4136 cmd.exe 100 PID 4136 wrote to memory of 4644 4136 cmd.exe 100 PID 4136 wrote to memory of 4644 4136 cmd.exe 100 PID 5012 wrote to memory of 3128 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 101 PID 5012 wrote to memory of 3128 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 101 PID 5012 wrote to memory of 3128 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 101 PID 5012 wrote to memory of 4412 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 102 PID 5012 wrote to memory of 4412 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 102 PID 5012 wrote to memory of 4412 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 102 PID 5012 wrote to memory of 4500 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 103 PID 5012 wrote to memory of 4500 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 103 PID 5012 wrote to memory of 4500 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 103 PID 5012 wrote to memory of 3312 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 104 PID 5012 wrote to memory of 3312 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 104 PID 5012 wrote to memory of 3312 5012 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 104 PID 3312 wrote to memory of 2184 3312 cmd.exe 109 PID 3312 wrote to memory of 2184 3312 cmd.exe 109 PID 3312 wrote to memory of 2184 3312 cmd.exe 109 PID 4644 wrote to memory of 5620 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 110 PID 4644 wrote to memory of 5620 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 110 PID 4644 wrote to memory of 5620 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 110 PID 4644 wrote to memory of 4812 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 112 PID 4644 wrote to memory of 4812 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 112 PID 4644 wrote to memory of 4812 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 112 PID 4644 wrote to memory of 4160 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 113 PID 4644 wrote to memory of 4160 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 113 PID 4644 wrote to memory of 4160 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 113 PID 4644 wrote to memory of 5260 4644 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\sussEYcg\wWwsUwcg.exe"C:\Users\Admin\sussEYcg\wWwsUwcg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:1928
-
-
C:\ProgramData\GWMUswwQ\dKggoIYI.exe"C:\ProgramData\GWMUswwQ\dKggoIYI.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"6⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"8⤵PID:128
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"10⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"12⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:5796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"14⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:6052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"16⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:5528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"18⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"20⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"22⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"24⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"26⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"28⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"30⤵
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:5444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"32⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock33⤵PID:1776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"34⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock35⤵PID:5680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"36⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock37⤵PID:4140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"38⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock39⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"40⤵
- System Location Discovery: System Language Discovery
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock41⤵PID:2548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"42⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock43⤵PID:4580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"44⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock45⤵PID:3480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"46⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock47⤵PID:3564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"48⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock49⤵PID:3576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"50⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock51⤵PID:5988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"52⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock53⤵PID:1908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"54⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock55⤵PID:4836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"56⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock57⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"58⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock59⤵PID:3016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"60⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock61⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"62⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock63⤵PID:6140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"64⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock65⤵PID:240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"66⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock67⤵PID:5732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"68⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock69⤵PID:5560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"70⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock71⤵PID:2084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"72⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock73⤵PID:2344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"74⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock75⤵PID:4376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"76⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock77⤵PID:3280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"78⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock79⤵PID:768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"80⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock81⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"82⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock83⤵PID:6140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"84⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock85⤵PID:668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"86⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock87⤵PID:2988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"88⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock89⤵PID:5940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"90⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock91⤵PID:5512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"92⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock93⤵PID:3012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"94⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock95⤵PID:4376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"96⤵
- System Location Discovery: System Language Discovery
PID:5964 -
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock97⤵PID:5564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"98⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock99⤵PID:768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"100⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock101⤵PID:2444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"102⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock103⤵PID:1976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"104⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock105⤵PID:5324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"106⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:5744
-
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock107⤵PID:5160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"108⤵PID:496
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock109⤵PID:5940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"110⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock111⤵PID:4296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"112⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock113⤵PID:2088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"114⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock115⤵PID:4448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"116⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock117⤵PID:4700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"118⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock119⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"120⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exeC:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock121⤵PID:1564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"122⤵PID:4488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-