Analysis Overview
SHA256
2711846550c5f26660cefc9a0a3baf100a01492b5b7153254349dc487195743a
Threat Level: Known bad
The file 2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (79) files with added filename extension
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-15 06:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-15 06:33
Reported
2025-05-15 06:36
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (79) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
| N/A | N/A | C:\ProgramData\xwMUQUkM\YSswkYcw.exe | N/A |
| N/A | N/A | C:\ProgramData\mOEskksE\YogoYcok.exe | N/A |
| N/A | N/A | C:\ProgramData\xwMUQUkM\YSswkYcw.exe | N/A |
| N/A | N/A | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEYkoIoI.exe = "C:\\Users\\Admin\\mIwUswco\\TEYkoIoI.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YSswkYcw.exe = "C:\\ProgramData\\xwMUQUkM\\YSswkYcw.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEYkoIoI.exe = "C:\\Users\\Admin\\mIwUswco\\TEYkoIoI.exe" | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YSswkYcw.exe = "C:\\ProgramData\\xwMUQUkM\\YSswkYcw.exe" | C:\ProgramData\xwMUQUkM\YSswkYcw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YSswkYcw.exe = "C:\\ProgramData\\xwMUQUkM\\YSswkYcw.exe" | C:\ProgramData\mOEskksE\YogoYcok.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEYkoIoI.exe = "C:\\Users\\Admin\\mIwUswco\\TEYkoIoI.exe" | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YSswkYcw.exe = "C:\\ProgramData\\xwMUQUkM\\YSswkYcw.exe" | C:\ProgramData\xwMUQUkM\YSswkYcw.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\sheGroupCompare.docx | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheHideCheckpoint.docx | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheReceiveJoin.wma | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sheSwitchReceive.jpeg | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\mIwUswco | C:\ProgramData\mOEskksE\YogoYcok.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\mIwUswco\TEYkoIoI | C:\ProgramData\mOEskksE\YogoYcok.exe | N/A |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\mIwUswco\TEYkoIoI.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe"
C:\Users\Admin\mIwUswco\TEYkoIoI.exe
"C:\Users\Admin\mIwUswco\TEYkoIoI.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\mIwUswco\TEYkoIoI.exe
C:\ProgramData\xwMUQUkM\YSswkYcw.exe
"C:\ProgramData\xwMUQUkM\YSswkYcw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\xwMUQUkM\YSswkYcw.exe
C:\ProgramData\mOEskksE\YogoYcok.exe
C:\ProgramData\mOEskksE\YogoYcok.exe
C:\ProgramData\xwMUQUkM\YSswkYcw.exe
C:\ProgramData\xwMUQUkM\YSswkYcw.exe
C:\Users\Admin\mIwUswco\TEYkoIoI.exe
C:\Users\Admin\mIwUswco\TEYkoIoI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIAkckUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYwQcwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqYYsAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKcswMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AacYsIws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TesMIgws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUAIYcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOQAsYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sikQQYos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCgIskss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQMAkMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIckEksk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUAcgsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIYIIow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAYwEQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgQMgMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hsgoockg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMogkUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcYoMUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGkUAAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeoAoYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEAEEUsE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAIAgYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQokggQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAwskcss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGcAkwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkkIcQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuocMssY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmQwUsYo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMUIoAcM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iewIsUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUEksoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEQUEQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vosgcsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMIocIgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaAcMYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWYgwYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUoMYgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqYYokIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGUIYAcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykoQMkgY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiAggMos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCcAkwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqAowkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsQgYwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCgEkQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAMMYIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMAcIokU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqEwIMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUUMYgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| DE | 2.19.96.128:443 | www.bing.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| FR | 216.58.205.206:80 | google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 142.251.37.35:80 | c.pki.goog | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
| FR | 216.58.205.206:80 | google.com | tcp |
Files
memory/3408-0-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/3408-1-0x0000000004850000-0x0000000004870000-memory.dmp
C:\Users\Admin\mIwUswco\TEYkoIoI.exe
| MD5 | b0b801ec0792ad456dde48e7ec6188bc |
| SHA1 | cf3edf5a732ff43db6fcec7ac9ab8bff80dc4712 |
| SHA256 | 1f83ccce3f19e3069b3d34fa550deb55a0f4e29f2a77b8bb009b08f66556f558 |
| SHA512 | 3a7aee00139d01e79887eac8e3b9b57f7697a40fda5fb233f920e8b26999e37bd46d9b6cac745f1db303eff194849a2fa2c8b9fa3e707a5d1aa3fff4c27da161 |
C:\ProgramData\xwMUQUkM\YSswkYcw.exe
| MD5 | 6d23a7b8005a2a1f8a0618e7199941d0 |
| SHA1 | 276476550ea623bab9b88c2a001b3adf2f233434 |
| SHA256 | 911c3bdeb1a9ea2b1133c3b797ec765f69ec353fb2b9390caaaedb7da90df2ff |
| SHA512 | 2038a560cc5cde9ef4e23773e6762ed3ce6c8bc026e56ab485ebf91fc532ca0917d1dbbb77d242f01779aaacd8ec68add92675d195e2502c08a3dd1a853fad80 |
memory/3364-14-0x0000000000400000-0x0000000000590000-memory.dmp
C:\ProgramData\mOEskksE\YogoYcok.exe
| MD5 | 4b83dd5c9e25b457a68e564341758b07 |
| SHA1 | f925ba7ab7f18eb7ea1a9f4034eccc1ba697bf6e |
| SHA256 | d974b1d89dcff1a67e08940abba0d0805019626a8ec31d29212ba824577b8148 |
| SHA512 | 23cb7fed8b1d1953d44b828c06645724dc7c80e7ce28f38f7d5782906c9dec1bda178cc5a10bd694196e15433aaf468679da8ed957fbaf2636e03ea2527e57f4 |
memory/456-18-0x0000000000400000-0x0000000000590000-memory.dmp
memory/4396-10-0x0000000000400000-0x0000000000590000-memory.dmp
memory/4456-23-0x0000000000400000-0x0000000000590000-memory.dmp
memory/4444-22-0x0000000000400000-0x0000000000590000-memory.dmp
memory/3408-32-0x0000000004850000-0x0000000004870000-memory.dmp
C:\ProgramData\xwMUQUkM\YSswkYcw.inf
| MD5 | 014931bb8fb0ce3b85644602e6b5672f |
| SHA1 | 48a55b1dfb78a826c38717144b48e8ec1a14bf8c |
| SHA256 | 267d9402e21403c7efa1faf44a5290c34ae6c1ed4d2b2a8e396f691731af5ff6 |
| SHA512 | 47744de95587a69c636570155f093af35528e7514290c6bd1d49ba893e201820aaae1fee04f82adbd6ccab6c0d268c96fbeb442a49c2d10f755e62f0231572ae |
memory/2324-31-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/3408-37-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\mIwUswco\TEYkoIoI.inf
| MD5 | eeb9d09cdebd3b5ea7907b5534016bfa |
| SHA1 | ff279fff6717c37be6143b3928f31b3e739b55b2 |
| SHA256 | 22da06bfcce3fca43dffb3659c97eb27b5f7c5e7ae5674cb2bebef16ab5cf32b |
| SHA512 | dc17d996bfe04b97adb96c705916152e30be79d43a6f53d207fe799b530a609688d6c4fc28c218cf78641f330ba197e73b55fc2770ce81b332e0451949e36cf9 |
C:\Users\Admin\AppData\Local\Temp\CIAkckUk.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
| MD5 | ed7702573c750ea627dc5f620e3b64fb |
| SHA1 | 7affe46da633cf1bbe00640c105f90bfb8af455b |
| SHA256 | b43e03aba20516081d8a94f92381afc82f836cca08a267f9fc51345305a4dbce |
| SHA512 | d206d094feb81186c31db9a603bf6303417e2b29082271049fa217d0a454d51dcdd3aae13b33a472663b4351ccedfccebe05c91e5d1f343cde5897d1bda6ed65 |
memory/2324-56-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/6132-57-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\mIwUswco\TEYkoIoI.inf
| MD5 | 1a0c48ffc9ccb306e82062e97adf427e |
| SHA1 | 91b2dd2ca6f2eafc58ebef671522973ce479b81d |
| SHA256 | ccde113bf3a12cffb2d4783d04665ec3a68ba32ecbde00a9062562240931ad83 |
| SHA512 | 61a71438dd38dd43f01e0eeeac3ee14b422a444f47e02afb905f8629b001e6fad7c0691341e153ce2a3d068427b6faa92d3d1119714f878750c81bd0f6510673 |
memory/6132-76-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/2884-77-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/1820-85-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/2884-89-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\mIwUswco\TEYkoIoI.inf
| MD5 | 5b5c792388033c22086c02ca656dda32 |
| SHA1 | 253089d7383baadc3fb49f35c8ecd0136428b0ee |
| SHA256 | d06ae4c0a989a5b65ef6d12e223ccbc0260720b60d7f94254b2e83cfc09c079d |
| SHA512 | b9d4a0673164f343b26bf0e2dff81344b36115d33d3852c3933c60c89a41d9a937d559d8cbc105a2a3a8b76581b3e3d269376f789edf5712d02271ed2e62843b |
C:\ProgramData\xwMUQUkM\YSswkYcw.inf
| MD5 | c520eb9c105ef1c0f2544a3931746416 |
| SHA1 | 289d4fc88a26b7fb84eabc4f7ca03a11dfc9062f |
| SHA256 | 15ecde8ca28ab9de66b7824177ea7ce58ad1e52a68699b2cf480ca73607ad7b3 |
| SHA512 | 58bc447cd97e77095f2a6b64e05707d66e352c3132826a56e8672d769c52f4741b8d25c55928359ef201fa789bd7930277d675c081fc4671e882e9d70439d0d8 |
memory/1820-113-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/5528-115-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/5528-126-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/452-128-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\mIwUswco\TEYkoIoI.inf
| MD5 | 3b2db7903e96d957a1af6aab384dc0c1 |
| SHA1 | 85308b35a36bf0ccf79f18d15fc66b08d3987c57 |
| SHA256 | 801041f536105739a63434d461636a449d7a7e6cb33ffaee2a562399112780b0 |
| SHA512 | c4e2846306f8fde288ee91b0d3234ac75f1975a06a7d55b105e6211f32084340a38d713f43b1f56d8c01bf21352bb13056495615695a0ec6ae24bc92226c7a55 |
memory/4396-140-0x0000000002200000-0x0000000002220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iAQk.exe
| MD5 | 71ae64d8a3e34507baa06f747f68c76a |
| SHA1 | 60f9967d2bbb874a2e2e8bc2a2ca47deb39728e4 |
| SHA256 | e6b9baaf109f5590fecd5e14ea50f35eba8d49fdc11fcbb17bb003498114d468 |
| SHA512 | 7e4821765c5b3f49b8792ffcbdb9035ef40f9c136fe96e64a1f7398d2df1a1eb744a3a77158f17955b47ec97baddbea97771414d5014fa08036370258c512418 |
C:\ProgramData\xwMUQUkM\YSswkYcw.inf
| MD5 | 8815b7cbec8eb4c6402bcd97e0c1d748 |
| SHA1 | 1fccaeefe09e3ac1697ee91af8732bd0021ae6c4 |
| SHA256 | 98cde306ac9589a3a2e56eb3977735b0d513c66dde98114b6f9ed66579135386 |
| SHA512 | 25dbea86acae54361785eb7450094c2479274b47fa859783d464dd6e19a6fcfd1b32c8b07a9a4323aa0cd402bcbade7daf3ee822bf7d038ab0cb82cdc894b911 |
memory/4876-170-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\osQK.exe
| MD5 | a0ccbd48a853876be34e5c88638544dc |
| SHA1 | 1399edea2e33af54dcb49e8fc921d82f78356bd6 |
| SHA256 | ef2dd57a76ca2645b87353120511c505bc5f79301167f4cc96decfd28bae24a9 |
| SHA512 | f2bed088b4a1a48288bf31e4065428a7e52d905cb5868d0302d8836f9bf61eefc5856ee05e9754555e91bfeb8ebbfec623970877109c79e47f64025fbd8ef077 |
C:\Users\Admin\AppData\Local\Temp\YUAo.exe
| MD5 | 57c49d6be3b210ecb50af3ac97d359aa |
| SHA1 | 5921bd29ec1c5596c44516a26a73188a131bd4b4 |
| SHA256 | 754886c5fac7a17b00bfa03af5111ae1106c10b9c4ba084a90660840ee37efdb |
| SHA512 | acb4bb0fb2d691cbadce20c77dbfda1bce10ae5f5522dae81bbf28d477a1100aad0c481601154357c4c6308c0e546bc320fa4ac708313a8f97765db3b3a13f88 |
C:\Users\Admin\AppData\Local\Temp\GQsQ.exe
| MD5 | 3a4f444dc348a04cb65945f243b4b366 |
| SHA1 | be28a88f01d6a1debce20e4d50f9145ec5e3bf5c |
| SHA256 | deede63dc3f49120512c5a52af970ca554ec40c30e7e33dc10c8c24f258a2204 |
| SHA512 | 4c971d697745a7bc014232ebdf5abd8c090a9de5a6f03c6e7a25b730ffa0434e10f4afb958cbea3c0b77af6723863e0be8c46b97fa1228c6343b53e5f9769f2a |
memory/452-216-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GIYa.exe
| MD5 | 5fe24d6ac12df3b6eefafee909a1c1af |
| SHA1 | 3b3515d3e4e6cd830ac190a2f2a3abc5087d5f1b |
| SHA256 | 5493affac9e7eb85890b3345cfa20210dfb89d9e10a319b7c50b96011cb25cf2 |
| SHA512 | 71e4a912c3269bf5b3739aa0c06fe329224f2f87720dc1d5b0fdf4c271cd117932c77967d54f3e0bc8780e5511097ad1eba3e884c63960ee391718f7d7cb2d38 |
C:\Users\Admin\AppData\Local\Temp\KYIw.exe
| MD5 | af0a3952c917e08b926bc802f2f2245c |
| SHA1 | d2cc0e9b1493de1c449204f7b23ff835dccd441b |
| SHA256 | babf1797d570f11f1d9d746e3f4e2b76f440f28cb8a5ad4581cef369b75fc06a |
| SHA512 | 98f16b0295633a28fb6f521a0eee2c953136038dde706b4ba6d2a540f9ecfb806dd02c9ed86f03af659c1d620ebe580e38d69490ace905b39484f666218d06d8 |
C:\Users\Admin\AppData\Local\Temp\AIYU.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\UoYu.exe
| MD5 | fd9c37584baa68ca75e0a597052c8bbf |
| SHA1 | 3a3e698fc622f05b52ef93ae1229a0553f86e022 |
| SHA256 | 840574e6233596c32c39a973393cdd6548d3ea2836d06beeb95479ee27629403 |
| SHA512 | 5fc435c73b8fe86160e4ebe92e06cb43db0daf1aa330c0a37e7e76606025fbed38d73943227d19fe1e3c2a38c89f84c41356cfd29bdf8f7fe349e381db121857 |
C:\Users\Admin\AppData\Local\Temp\gUMm.exe
| MD5 | 0aab9908c6d634dbcbb077fadd93d745 |
| SHA1 | ad3359c3fcc2f23a776ecf956b70cf5d205841f3 |
| SHA256 | ce833ba4b150c50548e7f48c34415530207a115ab8ae5387cfd08733289ddd8a |
| SHA512 | 6374c7443dedde54c6a949fd5cecfc921cf6ef859668167a0f1e0cb52c7f8992b4febc86270564f971cd59f78ceaeba1216ef7105673dd8ff51f62b88792e4b7 |
C:\ProgramData\taYs.txt
| MD5 | d7c0d67e615c6ed1096bfcf9d77b1ebb |
| SHA1 | 69b484108ea0d596c74b917c09c6bee991935191 |
| SHA256 | 37d929b189f51d7c55575daa0c6d68c6553fbb0c9679acee29401c5388c8994f |
| SHA512 | 694594a338cfce3fb444fc7f202b54ed340309aa9b352ce87aae611c1750225a42986057b45974dc9e326c622eea2951fc21221075e88fe657161ceab4276401 |
C:\Users\Admin\AppData\Local\Temp\QYYC.exe
| MD5 | b8ec53ed609bb51130f349062bfe0060 |
| SHA1 | b51f70f86439e5f319463e17513899abba564c6c |
| SHA256 | 6a4a59638a3a64db0fe95129f399d77b90be89d50e2f35e955d2ede94c8ab620 |
| SHA512 | 730213e793c14480f7e6d39a76fee887f24badba2d9a178184b529dcfaf6d63c47833d1ec2d7440a794f4c22e928b54654f3892363d7eca14e933661baeac1bd |
C:\Users\Admin\mIwUswco\TEYkoIoI.inf
| MD5 | c1ff0087706dbd64f31d8d1d110a0b56 |
| SHA1 | 1d27f900d360d7fcf08e4014390c658f4b3b9ac7 |
| SHA256 | 7c57c538043626724b7b5eeb326c057d75ecea1c3e683cde91c255d921a99996 |
| SHA512 | 5218c51f1b2848604862e34af940dc2a5bedd5d9918d1d9248ac563fbac5a0a8e67d53fb56da185c0fb7ea27ad2fa9505fba5007adba979f4e0c690a01ff4c76 |
C:\Users\Admin\AppData\Local\Temp\gAcm.exe
| MD5 | 42b7ece14c644cc82e1fb794ea850e80 |
| SHA1 | f3f27c0796c64d567a2a633b1a80453338bbe59f |
| SHA256 | 7068190f1d241eee2f736f80405675eaeffc741427748dc46300c2cfb986c6bc |
| SHA512 | 4daa788da8f4a12b61c4c8b0d7547700865e22fa0cf787ffa192fde9e18b1466583777987ed6cd8a98596f13c2ee6b8089b8fe5bd857ff803ff19ede4dce8198 |
C:\Users\Admin\AppData\Local\Temp\sAIU.exe
| MD5 | 983767cb6b0a6f0a63809ba44abe95d0 |
| SHA1 | 8d9d412a283d21f0fe8d91c1d846cfb2c948dbae |
| SHA256 | 34d45e2ca592986d068b6ab5048f0d54579c707cd7f88f43d89306e2ee92dae1 |
| SHA512 | a0185a5bc54b250381667f149ab1d381f6a954df3af68a3ae6d651b953b4fa9aefa5f37108b20330aa8371a54a52cda7bec72ee57d822314fb227f439dfbf2b7 |
C:\Users\Admin\AppData\Local\Temp\aYUG.exe
| MD5 | 16fd6480ddce0e576291b860515b7766 |
| SHA1 | a7aacdab9bad26d67829fc569b39d2a25c6aa3bd |
| SHA256 | ae1aa9b669f10951e151aaf65f78b915a8ed2fd63b6e2ed45bef98a241a8f43c |
| SHA512 | f5aaaf8adeb2642ea34632fadc3dd8187827b8b3f6a52e67f4b389fcabe8c8dda8a9b60ef30ae1da5e66c696d6bccca3c3f9a53fb022d3be486420ac61893952 |
memory/4876-343-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IcwO.exe
| MD5 | e74ecc560e6df1b53d5ace7fa6daa2c8 |
| SHA1 | 54308ecd344a73f83fa9a6f5224f8ac4ffc464ff |
| SHA256 | 7b3fb35946c7f7ed8ecacac70492df3ef8cc71f03ca1ccae6067cba1dc09332a |
| SHA512 | 73670a5e21f553c6da8a4e6e514ce64ecd1fd6901d0124ebe74abe95fd426ff07243173d753453cbc7d75b1599b9c5b99d71640af7a29462fe858dd031fff7b2 |
C:\Users\Admin\AppData\Local\Temp\IwoW.exe
| MD5 | 2e92007e392954adbcd43626a427126b |
| SHA1 | 7776fa845b2dcf22a4f75bcd138140b1725a2592 |
| SHA256 | 52e06ecdac460b53a728e6bfefa42a9a97739e7c6ff8cc8c64b8a18b0750960b |
| SHA512 | 8c51f0a767a13447e11def198186eda9328a43574d3f483dfa6fb92fd4623fc346a2951143fdeb0fbd4ebedf975336e3dc95af2ea3f104122b7415f8b8bab71e |
C:\ProgramData\xwMUQUkM\YSswkYcw.inf
| MD5 | 880ecc98a8849fc0d6dd35969d97fb7e |
| SHA1 | d4bf73b15c86c456a7f36f11dd98e464370a759d |
| SHA256 | df20f24226019446bb6fe160ac0f6a7e16edbb0eac4324cea243b3744dffd86a |
| SHA512 | 6190c40bc31600ee5ea15f532f88c55ab0e469ecd240d590457602255c1b15e50ecb4bc522f52a41b0c719fac5f4732594f5eb83fc5cf25ef3da5fdccabf3d47 |
C:\Users\Admin\AppData\Local\Temp\WIcU.exe
| MD5 | 91e56404ee6454a7c4015bae9fa535b7 |
| SHA1 | fd651fcdfc66b5534d8d4faef4785bdaf4425994 |
| SHA256 | 3300fe636836e9d7196700db75efa5eecee1540019d7881b0ba2f7bb7ed654fa |
| SHA512 | 63370956b77294f39120744540774944b345a4ce8d79382d0be7c406c419251bc30abb9152812876bf13e5a7713664a90106e1911270b0db9f098858f8c560f8 |
C:\Users\Admin\AppData\Local\Temp\qows.exe
| MD5 | 4160abd9d0f91852506ecf9eee23908a |
| SHA1 | c979302be38f479852777efc152e8567ff0eb41a |
| SHA256 | 5363e54e6b2a8bae4fd37caa4e1a1c3e34fa375f2410962e1e421f61dbd4b110 |
| SHA512 | 000a8b88884f532a0faecabf3d50c2002eccddfdd0489cc003c103470c2af2236f54ba8f67600a9388e60cd977e7857bef7ee63506d5f87f3db2ddbc6135f9ae |
C:\Users\Admin\AppData\Local\Temp\YAIE.exe
| MD5 | abe1b37c2bb43c5ff54f38b46f7f7c4f |
| SHA1 | 150d28f741617cf173c75e193716f3db385ed842 |
| SHA256 | 77125d5993168b58826bd0566c266b0817aced1283e71d739ac47b59cad03775 |
| SHA512 | 3d0d6eb7707424c2310d462c2b803a30727b555c45e62231db673afc21cd6029d4ecb42ff5537566850654ab6ae5ed012f972d3ac6e63c1b69ad6197f6b703e2 |
C:\Users\Admin\AppData\Local\Temp\EsIa.exe
| MD5 | 32fecf95e5560d8a91960d0c658fe69d |
| SHA1 | 1b0a3c4fe1bb03ca31e3697a121ab5c0b737a60b |
| SHA256 | 1946b0ee45f3ab29622317cd56bb2979d193325575d303d6e80eb5807fff34c5 |
| SHA512 | 7013a9d24718b763b8536f728c6be94d4ca49d6738b2aaec124b53ac0e9a315b7f3fa0de1b418477470ffa9da8130f00f20ac7d17ce639bba45df95ad178e990 |
C:\Users\Admin\AppData\Local\Temp\GkUg.exe
| MD5 | 09ff86c8ee0da7c8ae2411b6f07a1922 |
| SHA1 | 6aef6cd5a3a5b19daed7ecd8573dc22897ed8190 |
| SHA256 | a1f1c1d68763f1a0808d7176160dfe0783359f2b6f36f2509b42d3cb861b165f |
| SHA512 | bbf3c5107c63f0f274883dd131361f31f3edb02bb1eb873b993218266bb06a28621b68727d88accc5f0439f5dc8e6e8a3d4f9b1f92debd585bc7f0eea29f17c5 |
C:\Users\Admin\AppData\Local\Temp\coYe.exe
| MD5 | 1f7496b9efe46a85993d392737748e28 |
| SHA1 | 74a3a07760bc7305408ba3a0baebdf8eed5e981c |
| SHA256 | 81348ee7be684771e268ee719b23428e33827b13b72c2bbc6293c0416d0004db |
| SHA512 | e4918707a380701e32ddd1ce4ae5a481eded3d5d678416806a83bff7cc81a7a95e61959827b971cb69f613ef329af4364b2cda1c4034601db7f87f75410097e5 |
C:\Users\Admin\AppData\Local\Temp\qIsA.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
| MD5 | 6eefc14ae7814d8e84ed96625f82b321 |
| SHA1 | 97753c401fd1fce557e2f536b1c048030accd651 |
| SHA256 | 7051f41d11246516c32710e32d0721343f5014ee8fed898b936e800c4e93b2c3 |
| SHA512 | dc7aeb07d36d78938513528c2694253ea2d612d270c326e24c1f102c821fbfa1244e220fcce62e37deb414f47b70a4a78b2a188916f82ec837b7f639421159a3 |
C:\Users\Admin\AppData\Local\Temp\mwQC.exe
| MD5 | 9db7fc408b2d2fe808947c88570f2a51 |
| SHA1 | cc2384e748aaca62c20929ba3e8b1c23fec120f6 |
| SHA256 | bb1b679c8517f50964dd0b0284f66d4ea8ce97cf0b846d76e315c573999ce6ba |
| SHA512 | 6f45f8d6ddde684430a7465d0a75e280c9712df6dd36fdb0b0f3ad3e22dfe48813c575376a7df354e4807ae2036875a546e5f3bfd495634acecedd254539cb42 |
C:\ProgramData\xwMUQUkM\YSswkYcw.inf
| MD5 | 2b65049894a14012541286fb6c94d2f5 |
| SHA1 | ef38d4e1813774a24ea689f499eb3ca1e65853dc |
| SHA256 | 0baaa92c5a4b95b78ad967a2cae9d676acac4ac5d2723d08158a1ed760921f32 |
| SHA512 | e2de5b1afecd59ba95214f62f5f05f5ac109d2ce267d6d85dcc3c4907abdd2f6467279f2a9824a432e07b5ea3a1f0c61ab9cd2fde09e06d6c60ccf39ed6b4d28 |
C:\Users\Admin\AppData\Local\Temp\mQgu.exe
| MD5 | ee8312a2cab48aafa15ad977eb9f4044 |
| SHA1 | b36f0851da5f693d2cc500d0f37cd053d3254ef4 |
| SHA256 | 6bba3b61d6f5761dae73d77c05c3ab042cbb897dd75e015c4706dbd382b1bcb9 |
| SHA512 | 431e67c351912d605231533b462fc9b88c9e04c1dbf7093f057a1360a63da92e58cf63ba9f0cb42f0f0cdc93cc18ff25576442ab2c934c980083751fd2c4d284 |
C:\Users\Admin\AppData\Local\Temp\ggAc.exe
| MD5 | 7630fe80b7301d48aefd48ea2dce318e |
| SHA1 | 0d86c59bb5d1ce0b54318290bf007fbad051c57f |
| SHA256 | dcb4855c7158b7883cb6bd2687c320296827123cd0e8510ca40e728a9363081f |
| SHA512 | 50aa85533cb9aaea6c0c0a36daf078f37346eebd2feb90feda5c85496dd206103828e03e4e3eefc0c230131cab424b9631e328bba9b73f93bb940283e705139d |
C:\Users\Admin\AppData\Local\Temp\KUIE.exe
| MD5 | c1eee75d0a9a2a040b9244e17374a1d9 |
| SHA1 | 0736fb2431e38a1def178cea83fea6358b66a379 |
| SHA256 | 67e351a587afc3f27d910386bfa8131bcf037810fd37c38ded3fecb050783b96 |
| SHA512 | 1c226f625639e7cf62c0e8f95accc261833cbd5a1263276f35321669843e75d14c0b37f570319c88e801b802f9ea0d5684e5769ba122ebaaf3baa479d1c7958f |
memory/5152-560-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EUsq.exe
| MD5 | 0613cfd66e1526a886d0c28c0612c3d7 |
| SHA1 | 7489da403894dbe7519c5d8fd256e8da9e4906bc |
| SHA256 | ad53fd0a804d81e07eb38c61f0c3ec1820e009922038f4001920c1a5768a6a54 |
| SHA512 | 2ccb1a91906f88183169ab3bf322f01c7d48bacf4ffd6ffac827f531370c5040a979838db9be5ab0c13718c2084f03a38e5233d93468cea7c9733a195ee2bbac |
C:\Users\Admin\AppData\Local\Temp\qYwM.exe
| MD5 | c867deb62b3fcca358eba64bde4a1382 |
| SHA1 | 099b36eef0e18985c592ef92874be954ee6854e2 |
| SHA256 | 8ed1ad06c4b2a6c7253c4af2203be30b3fc06b48c4997e8dcf2c754c2ac38506 |
| SHA512 | ef5b9f5bef8ab2929a6565c915022f4b0047e8532b76fac4bee5e8478e3f4c97bb5ffd0e7697bde250415782da948fb4b6398808b4c57bfc7adcff70c5c13f1f |
memory/4716-576-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\skos.exe
| MD5 | d5371a8cab18eea58dd46879005f8dcb |
| SHA1 | 7d565223a167745b5ebeb940f1ebee59bbf793c6 |
| SHA256 | 55ec821e107f005c6df0b965480c74b6667f208bdabf0fb54c297cd6458a15a5 |
| SHA512 | 89484a71c7bf5ee6e76c3c86ab9bc125b886d07a07bd544e6ede21fd9ce342f09a1801882329036262b6311715c7d27fcf4d97219d61a75cbc32737955676131 |
C:\Users\Admin\AppData\Local\Temp\oAcm.exe
| MD5 | 1d10b6f0dcc283e7d383718b62c5b8ed |
| SHA1 | eef90a37bc8c202487a19172bff0799cc64b5c96 |
| SHA256 | ecb232dda945cfece5e0627bbf9a7d9c9be03ee46ba61fdba77b72a4a685cef9 |
| SHA512 | 12abd1ef1549824dc0a55b41eb97a7e7e46e49f0143e41f0cd2565cf28806db85b4462bc3740770013fd37051620d5dab02ef673350b4316f8962dfe9f9ec756 |
C:\Users\Admin\AppData\Local\Temp\yIAc.exe
| MD5 | 4c7a2a455b09362411b915eef2e1ae95 |
| SHA1 | 27e4f92754a6503f9995d5b6ecfff5a36e3d3218 |
| SHA256 | 9b6136691333f1b6a4b06c1d32c5c28ac9ade33dbb7aaca521ac8c28c7c5da22 |
| SHA512 | b4f57fd7e7574a2a6735f6956e26d1639fb6d95aeb839c8830c38ea767e69207daef7538f0e9bcefcbe70823a604029fb323a46fafd451515eab1274b3c7a3ec |
C:\Users\Admin\AppData\Local\Temp\awYS.exe
| MD5 | 0a58fdb5526abc49f946a79e284347cc |
| SHA1 | 52fe176bce49f7e435495b0e4dbb8103793eac86 |
| SHA256 | fc7fd612122b94453c699e1fbc892eb402eee13c3cbf199bb2b18ede86d940b4 |
| SHA512 | 57ac48394b30cda5014a928285badc0ee4938ca9ae95691512707897dbc32467cac75e417f89774b88d87ab8c036af45c0f13a1b0a7f3064ec2f19f4f5452714 |
C:\Users\Admin\AppData\Local\Temp\iggi.exe
| MD5 | 900430f5d5b1138e71ae027f9ca61610 |
| SHA1 | 86e1e1324e7a43c71bc1d6a94946175a4e79a06c |
| SHA256 | 01d702e1d5796e5a46d61ebede5e3f35d2fe5e293d2911235205ffa9907bdeb4 |
| SHA512 | c34448b55e0b52b170afc0fcc99610229023fed63a64596dfa8d268b0c5a18a45cc3c855ad7b3a5916a99e2067a6e6bb9f72e009b0a4c5332a15111e6e3f1142 |
C:\Users\Admin\AppData\Local\Temp\yUMu.exe
| MD5 | 703bb2dd802ba2ac59b5df3a81a36a74 |
| SHA1 | 672491fc2561b3678450c8c1aad7c327755f8c67 |
| SHA256 | 73c06df4af6844affa852d208e9782093c8361f93a4ccc7884f9ca00056a61f6 |
| SHA512 | b461604afcb10bb63ed7bd3e859ecdfcb8d32b0b4d69d9f205984c536bca1ca8e3305b531205ae6d8077e1083988e0d7e62acb4facb56435d04f89c9b19a12e3 |
C:\Users\Admin\AppData\Local\Temp\CcQs.exe
| MD5 | 4d2be5145ff12c14a6b8d2f315f3fb27 |
| SHA1 | 9796a9281e72ed8a674d689264b4a375e56db97a |
| SHA256 | d1550eed84b08e83fbdd4e288370d26ca9287e808f2d6b6298ef37151af49f96 |
| SHA512 | 5ed7d332ceea2c31a70f2cb7893bc23642912f3e241388def0fed263be6043527eef5e6b6643bded0118c0883fdcd44d81ca0642c97c07b51ccd133bbc0d7759 |
C:\Users\Admin\AppData\Local\Temp\IswY.exe
| MD5 | 42b608eb618fe29b80a82397b1164149 |
| SHA1 | 11547264803551ada5c6eb21daf6381177b6f637 |
| SHA256 | d831ed55ad5ea106537498f44801f9069b9d708f3fe0061bb30c83d9f664d44d |
| SHA512 | d3c6504da402abe63c3d4d796f0665b204db3948895ff84fdd63fed3c8ad827be48baede8fc203c5b16f777dd4fc74b6bfa854936dee9ceff42d1cd7975a2ff4 |
C:\Users\Admin\AppData\Local\Temp\kIQS.exe
| MD5 | 064ab0ec6b88242cc85f50ec3da6a072 |
| SHA1 | ec086025d3e542199098ef1453f8c4e663bb894a |
| SHA256 | d37c032c4baf26882ae975b11496f2947d47c57b6981411abe584abc0871c764 |
| SHA512 | 2ba9218010fb63c38d2388964cab55eeae90bcc03c6cc3f9ce276f476728f56536bab348c3435e12a2e42c3788ea0baaba6159e6afcef323c41e7ece9e4ae743 |
C:\Users\Admin\AppData\Local\Temp\Qgsg.exe
| MD5 | 4335e05bd598c82361d204d6279c9045 |
| SHA1 | c33891cf1d05d4d24f9c429b69df08b3387787ba |
| SHA256 | 6c56b73c1974b8a1a2a7b42143856bf69e85bfc2038871b876812a086dc104ee |
| SHA512 | e8a7439d7469d0f1dc8257eb2a79b315b7f4df7884e7a48aae6363f7c3d215d8fc79d276bd324f047612549366f1550a5dc749ade4ad152e93a0484351184895 |
memory/4716-768-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gokO.exe
| MD5 | 40ca4508170e5ba22fa5cf1c9714225e |
| SHA1 | 58345694540e52fe7c56445d149614bbf589cd64 |
| SHA256 | 47c803f3e7f35413c2a74f37c246aaf4adec74d958d55b797073e9bc1076fa75 |
| SHA512 | 4fb3d01352c31d2fb42ac9108703c14faf5b086637f91dcd4e3988293e59357aa71cf3cc0f1a2f22474d2f731fed1f61dda659e32b696298fdb34b6466bda078 |
C:\Users\Admin\AppData\Local\Temp\qEww.exe
| MD5 | 281cbc4bd5c1844f3937b3da767e5d4f |
| SHA1 | 1b98efa3b0cbcedc50279b3c090693028e950875 |
| SHA256 | b0c7b352ed4bdc2d40a39c51552dd185bcfb9c51dba5aff6483af254dec1e562 |
| SHA512 | c0de960a375cda790edf4d63af69c0c028e81f7e4eee0ff4be6f38d69a99bf15a2bf1eb4eb753f8580c2c4bc6fb08309e235f0355b0ee6d2b06b46f787f70241 |
memory/2036-815-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GckE.exe
| MD5 | 0e654a3860358906f7d1b4fb8daeac2d |
| SHA1 | a3fa7bffc3d6f06a3cbcfa82acbf10b8dc13e4e4 |
| SHA256 | 24fe687b60eaaea387c6a409b04473f58c6e37de6aeb497dfc5680f16c049a4e |
| SHA512 | b5e6a990553636e10a4c8bfc4770a73a9befc8734b1728f9dc8cbb015b920ad776742e768e65d0de885075cfcfbfd78c5d23580870c86513cacceb172a58a710 |
C:\Users\Admin\AppData\Local\Temp\KYMm.exe
| MD5 | 42eecc135a508b6c0d9cbdbfbf5084de |
| SHA1 | 7d5c63d9ab91ffa753c1fb87160f4f2780109867 |
| SHA256 | ee4700386e2f9f79da7ca420b0c439090d1a92b657bb8e25e5f8fef2bff8577b |
| SHA512 | 5a2d6f9e1e876d8564fe2df0f20405f576dbf65c2fa7e190d0bf2d3c969cbb28c1efb896af85384af8a0b7d739523d56868e060c4ad280199dab35799344638a |
C:\Users\Admin\AppData\Local\Temp\eIMy.exe
| MD5 | eb8cf1d2defcefc543facad309385e0b |
| SHA1 | b6e6bf9561ccdae63f9852ed4f49787482fc327c |
| SHA256 | e2a181bb11beca44db7aee053252dd3d10459c125c6a668fce76e3503c8a9c54 |
| SHA512 | 28fbab54a9e3afa4802e914485e81fd016402a768b5490ae955db22ab2b045ad293e920d79b75543bec788a3c5dc410447e63665522da1f805034b67abc067aa |
C:\Users\Admin\AppData\Local\Temp\KUUc.exe
| MD5 | 021218c9d136c738fb3664e8924a3cf9 |
| SHA1 | 2125dbcf24ba6a04e67063a0ee014f6533d5bec2 |
| SHA256 | 37d794dfb526b93a05925540dbd9d081624f04efa9a4511081de5613e289c493 |
| SHA512 | e77eed84e8f799966320ee03abc5c28ae02c3d6d9075b711f70a17a0f80f6e1dfc9dccf0112fbff105a1bb4266e5e7bedea0f2cf4e5c255456cd7072617fe01e |
C:\Users\Admin\AppData\Local\Temp\MMgm.exe
| MD5 | fcfc674307cd7416621825c93dfd0425 |
| SHA1 | db7c86f39f11536cce27fdfa8b0cec7b41b9199a |
| SHA256 | 25d0cea7c98d4b1aaa309cde35ca86ab866cc17eed99114876092709b23ee018 |
| SHA512 | 1eb466582d953f0995c95f3f9ca534d5e884ecee2a9cfbfe0afd092ca4308e99af3b1e826e0d12eb0051db557072e1e226862335058eef7a5a427fd04e5018d9 |
memory/2036-886-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CAcU.exe
| MD5 | 53e9ed8e94a8cc7c0e2b6dec7a9ba131 |
| SHA1 | 6f0ac20f201272dbabf93bf888e2e67800ee050a |
| SHA256 | 134ef7f6a792129b56eddc188551112abeec5d0e7417f8295553f004fb9b38c9 |
| SHA512 | cc0324979b6bdd2e113b46347918f14b79a03d3dbb3d19a13f409bcbe4f9b5e9c9dc4fa02c4129cc7d6356b075c0e60aa59d74565ca4aeed8a30677de8932804 |
C:\Users\Admin\AppData\Local\Temp\YMoc.exe
| MD5 | 263f59ae0b327e740233480d7ace3bdc |
| SHA1 | e5b707061421deaebe45cb7a9ac008b24e8046e9 |
| SHA256 | 1554d0d4d19d59a85143ad2d45262197793a37ede53707743d144daccc3c9172 |
| SHA512 | 914346bbd5a49714ddaab628223bba669d7f474e4f5ec747cce581c9b0347026306820c2811d2cabdb3a3405a0d279bd7b7c827f697301dac95e6403d5a2db05 |
C:\Users\Admin\AppData\Local\Temp\swwM.exe
| MD5 | 6019b356fab3104e5f5e548b3a71f019 |
| SHA1 | bb4cfe02da653b74e0f414325c4a7e24dd908e75 |
| SHA256 | bd3d508e67bfd26c3623e43edee668c951273d4cb40adf840fc4f96cb1922904 |
| SHA512 | 2c2e7be6dede67081eb892afb1ae4cb4dc91cdf593d96eb17dd817933a67cc43c2d3b42ce4742ce1ea077b349934e9322cda62029053d0236647fa2a9151bacd |
C:\Users\Admin\AppData\Local\Temp\ysMm.exe
| MD5 | 8d65551cf07a1ec722563d3c72d5c2de |
| SHA1 | 02a68fc666e6591994610babff1566fa3b511580 |
| SHA256 | 1f04ebf2b3405cc214051ec9967061759b6eed2e8ccfafabcade19ae560c413b |
| SHA512 | c9e12e8579b2fba1f8a0dc4e8a52587c4cee9717c8b5ec4079b792401ae9a3cd67f0e2b261445a399ec31be8f08cdb076175423287c383826e89cae9a151fa19 |
C:\Users\Admin\AppData\Local\Temp\yoQe.exe
| MD5 | ac52323a828ee1568c646250f8ff0f22 |
| SHA1 | a2f268b5271c97f5de86ea8db5eaff79c32bc726 |
| SHA256 | 8fccdf8218c7f18ae5679a711cd3afc57d8eb89822a26e38feba04f34f0cf9b2 |
| SHA512 | bc321385d7de7c1b9b67ee691f2e514b9713d1b6aedac688ab7a7bd26438abd5c07ec5d7f966e1b9ccbd974de52e15c33cf45bdf055eecbfffa305e3188eef64 |
C:\Users\Admin\AppData\Local\Temp\SgMQ.exe
| MD5 | 5208f18af3f3b67d7c4bbb6baa4a2ad3 |
| SHA1 | a2b2ed5c16e5744974925e35a9a7d66c13dc9657 |
| SHA256 | bbed499b8e373b7708957eea93550225f732c01640579122fcb92fd22d18019a |
| SHA512 | d1e852e2c71d8ac6f28128fab767478d40c78df2c87b8c0c06ed07c325353b692e92f96b7da4803bdaab06d836729f240910597737b6a2432785f2ab8df3da65 |
C:\Users\Admin\AppData\Local\Temp\AEkg.exe
| MD5 | 449cb93b60c206abe07760a6fca790ef |
| SHA1 | fd1d6d0e378b5ecefe9ef20644837b1dc080cbe0 |
| SHA256 | b75b3f9b15a94c39d3d97adbdbfb41b85b7a757ca7d738e6a5f3904c6ceee665 |
| SHA512 | e5ffa53bccf4cf15116e3347b93156c4a3c2aee7c94a07883698b68ce083f39e5e3415217d5599a703b4601774ba7d1b57ea08b118c99598ab0b6288e2031204 |
C:\Users\Admin\AppData\Local\Temp\ecsc.exe
| MD5 | e88481b7e68e169e58739396d45ed002 |
| SHA1 | fc271136663f29201029bb95bc1695768ced3c5c |
| SHA256 | 16a77130a94903ec5057a781a57ed6ffe3ee9981c6641e26502fbba4b18f486b |
| SHA512 | a6b02ecb96dca7d18dbb3bda8b42dec064412abdd1925f657603e3443d3922ee23709ab3922fca0724176eb4ea21a7db0dad3b979a7475d344307fdd1a55ddc2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\48.png.exe
| MD5 | 2c3a98ef1a29449c47dfcbf1cad193ad |
| SHA1 | 19ed052540be0140e79790c7212ff0daba825d86 |
| SHA256 | 9eb76a31c16d086646c620ac358c9568fb69ff78e38e4a57613fee32f59e7ff8 |
| SHA512 | 1389cc749857109bb0bef2a012e3b8f4fc73f9805fff9524ffd558968260dc39a53e0ea36e49a76456eff0a5f233f4412c9dae112365822d14ac2f111783233e |
memory/4396-1033-0x0000000002200000-0x0000000002220000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Yssa.exe
| MD5 | 4595eef47354bd4bc6ecb355ff8d81be |
| SHA1 | 10e02d3b2785a2626b9e551b0ee646b1568178bd |
| SHA256 | 5eac0cf5d18418b46daa60e30250c32ef6143a6bec928ad8158b7d0aaa1ab6ef |
| SHA512 | acfef28a0fbd13a2ce1a3d80c1074160d0819a5809c6e297f1d7ff11ad046633d4b6106cb560f46246b4e499d156e7f1e9031a0c68ff021201ee1b6e51d0ef52 |
C:\Users\Admin\AppData\Local\Temp\CEcq.exe
| MD5 | fd9a618c7a14cb4b8fd95d029b6fd6e4 |
| SHA1 | 7045fa6997a4f5b9907a50023edcaa42b5554268 |
| SHA256 | bf473baa798f1394b17383d0d039490a4aa83ec16e76f6a900cfa02c085d5df6 |
| SHA512 | 2d365384b49734aada5c44fad5022d2807279ddc04cdd7ce9725871321caeabcb9f44ddbf61949c2aff7757923035daf75266d15a0949d98a2aa6a5009b3176c |
C:\Users\Admin\AppData\Local\Temp\EMwm.exe
| MD5 | 41eac3216b39133b755992b936658f3c |
| SHA1 | 8b8b8c01ac1e105f546a5d87d34e1456b9cb44ac |
| SHA256 | 72a80b0a3d92fd66f02424592e7c960a4676dbad196d25f92956519e0b58a4a8 |
| SHA512 | 7d1c718077b2e09e7456224e14bde05a3582136725f87c033da79d0d972956dda449192ff4ebc48820697a61adee07006d738f812a06b1995dec76b73d45e111 |
C:\Users\Admin\AppData\Local\Temp\YcQi.exe
| MD5 | 6143b22d9ce69cab56eec16a46c8d5c4 |
| SHA1 | f1a451c7e312578cdc235b90a68cae3304d84628 |
| SHA256 | bf3fb366dbaab5e925e0865a9f78c4d84bb1bcba84682b162e95fce9397d5e26 |
| SHA512 | 933be5678c7c06d4d20f3acd12701ff6e43665211cf5ebf49ac41ca7666d8b165418b3a03e23f182093a4871d63cae5633a5b650772c8aba922acb41e7353a6f |
memory/3796-1093-0x0000000000400000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AQki.exe
| MD5 | e6a6d92c9f93ebefa5396aa8eb82312b |
| SHA1 | 5d0d5068f52795377c79f37e38708d5d65715313 |
| SHA256 | 4651350ff60d5b524fccf02d099cd7b4cc0f715ea35689eff20604ac95aae84b |
| SHA512 | 3080b594f1018b7cd061170ae27887c8d11c5c87ea6670da2de1de7810a5cbaefd0ce81d61a6fc27f387fd8327da6e9d5ca8b8c2946e0fa05c22445a0ff437d7 |
C:\Users\Admin\AppData\Local\Temp\gAEW.exe
| MD5 | dc1480a285746084a896ebedf5e3e8ca |
| SHA1 | af6b4b3f6d4700115dad2aba2db99d1ae2132e7f |
| SHA256 | 6b57f371bfa4063988956834bc24da63957a57b2a83b6a0dc503a52da519846b |
| SHA512 | 7ee07ca6652b54176f9281d8e3a2ad8ee1ee7b77e16c4565ce1858957aff8cf26b606bff7afa87b265d588cffea10359b40de89e6bddaa21093b360f964a01f7 |
C:\Users\Admin\AppData\Local\Temp\igcM.exe
| MD5 | ecb2c2e4d3c005a765b7f95264e7bd92 |
| SHA1 | 0f75bb7dd81b29699f431845827fca0e78744a51 |
| SHA256 | cfff0846d0bd6a96d43620b640b40c0299880153c8c85a09db535cd0297a30b7 |
| SHA512 | 2ad4ca30c4b675fdc2dfa3f614e4f48eab054f9619ab31326d43b5663be7afc5f4cf28514fec106d06657997650d3b108320acf3c34f59d46ee2b74e0a67853e |
C:\Users\Admin\AppData\Local\Temp\IcEW.exe
| MD5 | 64b8f535d31c9ef8c633a107220d16ff |
| SHA1 | 649b6d0b2c47b4d018805564ff03ebacf0ddcd53 |
| SHA256 | 92a4d1c7ec7fcf61815f963d069b7f8e2db2826c864748cbad54f1a6ded82c06 |
| SHA512 | cdb75ce28dc2f88fd113bda5e95e5dae860388a7ec445cab907840b3ec83b0d89d9e583925b2fc4092db22ae75271dfb3bdd77ca662fbe4e2fe1441b59170da8 |
C:\Users\Admin\AppData\Local\Temp\aoAK.exe
| MD5 | 65fd0a13717505816455dc34d403538e |
| SHA1 | 3f21c60891bb858b504c4b1f9c249ba744c642dd |
| SHA256 | fcc0f635752e12031c0201a68df426fb6a5946848391c1302398988643b79195 |
| SHA512 | 4b5177fde82b3b6488a5b5138e06171556d7b4e7502d83ce2ec48baf33575e2a96abceb42ffc6e27a89a41b079ed5ce603ab873091b0a039456d6b667c755f02 |
C:\Users\Admin\AppData\Local\Temp\KAIc.exe
| MD5 | d17280484bec5d853212d3cc70307576 |
| SHA1 | 7f5a13bbefb42e5bd28def0deb6cd9e6ef4afb9d |
| SHA256 | 04c3d7356c78d98d7414c287bb3dd6cea358f362470ad7c8666362babd4b5d8f |
| SHA512 | b57466612efb6f333b15965359f053dc0ad712f3b43a200784634b7cb35372e8f810a362d9c7695e14732d4ee5175198098ea6f1a926ac004a00c71077a62b59 |
C:\Users\Admin\AppData\Local\Temp\uggK.exe
| MD5 | 1adcb1bc4d27b6e1ff20969fd4041fa4 |
| SHA1 | 27833a4125e8dbf4f9b08c1cc0b1eb1becd95da3 |
| SHA256 | d3e68af4d52607f5354a3e28c840d3b2fafcd80c685a15d4add988b755113a5a |
| SHA512 | 5a2c0c50e16661fa353946eb5cd8d43c79be88a2927b6a14cee6e41d2833c4f9278649bfea9d4b80381295cd274d21c89499ff10d0b0a200ce8d3ddd85ede0c9 |
C:\Users\Admin\AppData\Local\Temp\QIcq.exe
| MD5 | 7e1cafb5a0453c68b6dfedb31f447c18 |
| SHA1 | c7a2a02271f9d006f9a03c0834980bdae93849a3 |
| SHA256 | aed008eb5bb5b7d8d6f70c289c991cf7771c75200e2392a0d66a22d418b4cb8d |
| SHA512 | bb933a8be825fca5581874092e3a9b3a3c15dec9e0a734a27389e97cb7f0fd8edb0d1e61ed6857582760465ca7373ff17dee365bf438901cbdc7041220120f90 |
C:\Users\Admin\AppData\Local\Temp\Kwci.exe
| MD5 | 4d963684eed9285fadd5f760e9f44ae7 |
| SHA1 | 93e3fe0dd9bd89cdd346dbec7bf36bc36a6ade03 |
| SHA256 | 890f8778cf73cc60c820a766b30f49ccbf785e2a1e6c208703d444c70c626de4 |
| SHA512 | 2ac7b7967762deb2b2afeb198edc66536d931b57c4ba7bb28c8bb00840df9fc55d21733888203c3d5e6a76e84b02f5a12938d54cba0730e1ee0c1b4ebb700810 |
C:\Users\Admin\AppData\Local\Temp\agQS.exe
| MD5 | f66caae8b93e1d36368f28d9d17b68b9 |
| SHA1 | ccd409b550cdd50e6f97ba5a5c1eb2f9649b95bf |
| SHA256 | dfb682a036abbdfa9d758d8ef61efcad937623b19d56415fead1b5b4e5b73eb4 |
| SHA512 | c79533419b684563cfe0680cbd115a1b9af0d49c94d04ca25b608a80a68c72773011cb99e7de524e17c0b08e5725f6811826ff53c91b15fb52ea7ff48a1fb9b9 |
C:\Users\Admin\AppData\Local\Temp\QQwO.exe
| MD5 | 796b2d976ca7f3bc7eb9600e34941241 |
| SHA1 | 86cf11716f9b7e6f6f06056ddccbf942d85b2530 |
| SHA256 | d24ea31edfb40ce8f4ee038197a85c2b6f27561bd966926435ecab17b2b399e3 |
| SHA512 | f6b72c1f506c78555bd76d453deaa54b3e4ec6a0f2f0e392edde77c33b50fe1d46f88b11803b426c00fa47325901d8223d2e3fdcc6bdf9f06e232e5c6bce9afd |
C:\Users\Admin\AppData\Local\Temp\EQAi.exe
| MD5 | e92f180b187c05fbfcc3d9fd1873f8e3 |
| SHA1 | 861edbd640208b0f73be78f3adaf22b1a50295d5 |
| SHA256 | 25aa7598918af20a1b1d02a27457d2fc22c9f91feae0ddffa425725e73501152 |
| SHA512 | 60db14b29310528a94557dda735badebcfd9eefb9fe5c3766edc4ba4247bd850fdb5f6496a5135cc669b252cfab05b2b1b47abbc704d6deb943e338ac399ee0a |
C:\Users\Admin\AppData\Local\Temp\WAoS.exe
| MD5 | 9effdde610d5040f720c359f1b005684 |
| SHA1 | 8aaabcf63192092e2a54d4c5fdca2c003244d1c1 |
| SHA256 | 589bb25f3db6ac74dadf2396925f3dc5d3738b4f78b3a30de4030f16d991f93c |
| SHA512 | 0f5da2c64d1c7fcef4a95fbb0f9783ce0ec0ab8b0db2411525dfc9c539ace56f80b85db286faeef76648f4c2c6c1aacc2a055b03beff03da2fbbaab84091dc08 |
C:\Users\Admin\AppData\Local\Temp\SkIC.exe
| MD5 | 097415f1967b47d546107e909697e90d |
| SHA1 | f87770f3f47eaffb83b10728990857aa36669db2 |
| SHA256 | 3d7fcced14f603d6783e912953ef879b2cf30ff8eab64ac6d708a709a71dce39 |
| SHA512 | 5d05507b372fab9dfeaf582c3d2c49ea0a7d16adcd7e04090268422ed4cfa50c71c23c3b1c0c15c67176d9beb74c1d86af19a3f380c6ec4b9474f466796fd778 |
C:\Users\Admin\AppData\Local\Temp\QsMi.exe
| MD5 | 4d88e3cfcc720fbece2d791538b9b64f |
| SHA1 | 2dbcb8b8c43cb56b05087ddbfcda8f19a8b07ba6 |
| SHA256 | 2cac22b90ebd06e028a6d3a4f0a8d55de22e554e2cc292a167a3cf8f8c3f2f66 |
| SHA512 | ccabc63dceedade60bab408c65746172a051aded973e3101622294ea1fe56f964e747fd642292ccf633010fe15535272c69c329b0b0c7646c47b11aa06285320 |
C:\Users\Admin\AppData\Local\Temp\MkoE.exe
| MD5 | 9101a1250e90de385349d0cb45fe5310 |
| SHA1 | 4d812168360b8f8e8acf7ea9dcb9bbf3409c14ab |
| SHA256 | 7b3e7a1aa3e10493fc5523579c26e00a2327e7b630a5d1b9ba50e246da84d341 |
| SHA512 | 1d82b17193b637e6373712455796dc0be3cb00e7fb7d263bf94d14f66152aca62eca142104e8dd7e6bed5ec67b4f5de93e136e2688f8eb94c88d2da5e68f722b |
C:\Users\Admin\AppData\Local\Temp\WgIM.exe
| MD5 | 8d6d18dd97996082022e698c76941645 |
| SHA1 | 35becd1eea7381503844bff0eb0ae1b48e3333d8 |
| SHA256 | 0417e322bba824b2feb36aca90b2f659b239091df000e3bcc61293852649cf83 |
| SHA512 | 87d00514dc911b3bd4810d0e739c8b4a7843525efed6e3bab0bec2c19c642c6bf417f386fa55c0fe6f7eb88321302bd9711825f4d4ffcd7756436b24265f8dec |
C:\Users\Admin\AppData\Local\Temp\emww.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\Qsck.exe
| MD5 | db53b5b4739218b89744c1c74aa4df34 |
| SHA1 | 68e3972b4b2b9254d72f16892ab818d71ab328b4 |
| SHA256 | 706c89f1706766414257108e8966f1453982e31ae735c81e2d1b7b604b1ef54b |
| SHA512 | 32d0838915c2a60ca7f1e9efc4b93f656e2960746d13e8a6dc5c32f42a8d75a6c4a62732a0e11ca9ec38dd15e2fa69e54afc60fe2c6e1ee60b5a5f853a1f9668 |
C:\Users\Admin\AppData\Local\Temp\oMUm.exe
| MD5 | 28efd9e381b281508e67e13ac3026f2f |
| SHA1 | c8e6f8cdb0dbd4c2c450838b64b152cf9001abe6 |
| SHA256 | 4999e1245d60173882c8438ae8a73f6d826e03866b3b7b07e9444c31d4a452c1 |
| SHA512 | 666b6885c833a453f09412f9a09301e868350cf3af36f1c5299878779b068457e6e38f78bf6cab7a0bd567716ffd1adef9aa9536860e8aad675ecf7c13d34ee2 |
C:\Users\Admin\AppData\Local\Temp\CksM.exe
| MD5 | 848137624a98fee84c11dbe767df5705 |
| SHA1 | baf468dc820f83ef0c169ad9e09f62dbb04d99b6 |
| SHA256 | 2a4a73d8c7fb146053ae62189ba644feb2f284e81fff758a3056e66436bda164 |
| SHA512 | d6738ea30b9b89e6bf2a7c5757ad1bea6aba5c82cde1b076c8c4904a51d1b2872ee8c3396342fef312d70c9a6c56f0766eb6e1950f475e65c6690c204ddb5bb9 |
C:\Users\Admin\AppData\Local\Temp\WUgS.exe
| MD5 | dcfe76910795e5ef7ce8557258d70603 |
| SHA1 | 3ff07148df2d2a2aa580c7611770e73467dd0d64 |
| SHA256 | 5fe70668d62c1273b0d27ba2041c28f490d5925571ae31074c926a9a639ab655 |
| SHA512 | de5ff062d1b18b39577e617d0d4794e9dd20778ca8667763762337b48345c5adf9418d3a880af96d3bacf47024dd42017a45db95cbe4d2ac2f5f2254aba68f8d |
C:\Users\Admin\AppData\Local\Temp\gkYU.exe
| MD5 | ee3aea3ac0c40b75f6f5c1c721c151ee |
| SHA1 | c42b80e5025ea364951acd1b7aaeff33af16e08c |
| SHA256 | 4d0ecd851671c6fb7f2f98ad9e553a735ba3799c11d1539e360197fc8a9890e9 |
| SHA512 | d28ab8286a6601fcc28f81b20e758a8b4b52ea924137ed24b385eaf9921fa523bb70ac47b45d13b1ed1a8a6aaf662df71e6f7558abfdc3c5fe6b349e76a17adf |
C:\Users\Admin\AppData\Local\Temp\okgk.exe
| MD5 | 049aa12219d8ba95e8a972b3ad28a5ac |
| SHA1 | 99908d08d4750e5b7fc2fd4a99f8459b9c243c9e |
| SHA256 | 96d95168354f4bc2534e376a28d9d955e047bc3f384eecbac5f8d2ec51add0ec |
| SHA512 | db5606f2712e25776ba25bd1a2043d149ca7f188b3fc48fbf22647a8ae99f4f7b783ae65d42267f0040acbc6f75393a306d14cc2e34adeb24b243a1e6d34bd1c |
C:\Users\Admin\AppData\Local\Temp\YYMO.exe
| MD5 | 760a0645ac8ad362e244380bf71be104 |
| SHA1 | 52008c6d572af8919a0145b8b2b77843d29be0d0 |
| SHA256 | dfb58b2006a7ee603182ce3e85faf35c9904d63cff6372b70a63d2c9d69b2655 |
| SHA512 | 25f212fe24bd9f729456bc1353315877542689c5d4c0483c3a3b155bb6562b48558dcf6c53854ba7c56c18c334c32174864a059d37e2c5ad89f89c194e7b56d7 |
C:\Users\Admin\AppData\Local\Temp\aIIq.exe
| MD5 | 42703237c31b77ae4413f102d542fc72 |
| SHA1 | 7fdcd1894a962a35c9e7ff351ccfaa7f1330b10f |
| SHA256 | 861faba0ac84e46790b30e06a64cf57a6015b2b66f6d3dbeeb5da4de1e9645fe |
| SHA512 | 108425d932fe35be657640d36d3c83c924af9549dfa9eddef8c84e0ad36adac160c02778a1f86e4eb6af1cce828307c1ef672acad27f043a59bc0018165e3b88 |
C:\Users\Admin\AppData\Local\Temp\UYAa.exe
| MD5 | d1ee039320bdbfc6c67c99f2498c512f |
| SHA1 | fac1536e377be97bcae363e7bbe256d2d84b3920 |
| SHA256 | dbcba2b5c044f434255fc7f8a32da4fae716f38b18879ee65a9d34f2a8bad2e9 |
| SHA512 | 3cad5b44c93532c3fdbd3d391d7ce93a7bfbd94f2a96abe9bf53999d448fb94456fa9a01514042f539459cccac9bdedca44f0f127c8bffefb4b87021f3c651ba |
C:\Users\Admin\AppData\Local\Temp\IUgw.exe
| MD5 | b5b646544cc041cf1d71eff20a02ef61 |
| SHA1 | 2be4e519142ed22d0220e6b4c6de6d41491d6c4c |
| SHA256 | 930a0e39e53516d34d95d7e681dceb15f79dc4a6330211b9217aee406b570cd9 |
| SHA512 | bd10eec3b385af6da6bce13332f3e2533df79097ec59c5bc3122b8fd2b41f20fd6b98c50ecf342c33f350abf2162986bf96211bdf7660088a6e90a9783720d3d |
C:\Users\Admin\AppData\Local\Temp\mAMg.exe
| MD5 | a755c36149906081a2af3f7c00b7984e |
| SHA1 | a40dede0dc6a38bb73677b468321531e849e942c |
| SHA256 | cf6671668aaf017bc5e63fd7f85a87afa12ad5b1034b0b69926ed603c981046a |
| SHA512 | 34e75ede5225e0c9b21b84f3c57743b86d0dcbd1c52c432bc5aa8c3bff541d5fc479243c7c7a9d07a6680bdf9aacbfda277124089a0bb687edcdc88514d1e84e |
C:\Users\Admin\AppData\Local\Temp\CkUg.exe
| MD5 | 32cb068191b8fa4c32f02f78516e6582 |
| SHA1 | df63f84c4b4c128430aedd6b7952795544095a1b |
| SHA256 | 4f9d0ccf06499c1119a76ce1659d9c0615a95ec6866d1b69df25de6fa9fbfb46 |
| SHA512 | 1eaade4e94113e3500808ffa391cafe4384f4c6d58a140c4bd712eae703d474f1c538f63655463d2bd36a48902686c8ffee728a1e48e5161a962fa8a7b8eb037 |
C:\Users\Admin\AppData\Local\Temp\ooww.exe
| MD5 | 94fa9dac4997767ce05a2ab067b87cc8 |
| SHA1 | f359908803a85c0ea02446c61b1cb398c3e98dd1 |
| SHA256 | 890fcab6c087955c8c8bd3aa66c77bb60740c80df50e2d4a2ce33f2139223a10 |
| SHA512 | 3d129fbde0ef28d14274fc19560832a7d60772dfde29c266ddb2c11d31911f23030a32cad3aa0a9f30f70a1592d1a9143685489adb9ac7159b913289ec509d60 |
C:\Users\Admin\AppData\Local\Temp\wwAm.exe
| MD5 | f6962a4b7b5f5bd85c72fcbe5f4e6dc1 |
| SHA1 | 0cefe27afb051873351547c61b647388eac6304c |
| SHA256 | a3719b18f4042f1498cb3025425902dc85d2745521da09da2077005086e3ff03 |
| SHA512 | c5b7ed35c5915af00bfb4254478b6d11f1232d65795fbcb62a8b921fb3765719669d1a6b7e7d028ebf20b48d4bd7969aedfb9c2d84802ab4c4a5c37ab343e6d5 |
C:\Users\Admin\AppData\Local\Temp\EwMC.exe
| MD5 | 136c6f27c91cb0c6b5ea17d7434534b1 |
| SHA1 | 7942da30c0c643eb769d7a492ac2c1f71ea0091a |
| SHA256 | ca6264e87826e485c177713a346ed5da151cb1ffd4e438722cd0e92f3675553b |
| SHA512 | e9ecfa2d2aac5b1b3b6e0d82803a29439291a1db9877ca01a4e297f8a521fc8a6fd1f7076e2e1d47c8ce7517e6b5e5845afbd32dda38acdc1c716157dc2fbff0 |
C:\Users\Admin\AppData\Local\Temp\WIci.exe
| MD5 | f40de14fee7eebaf4f9ac9552292e7f9 |
| SHA1 | 64762d1caf17cbccd477c5d1c3b5e0d385f49c52 |
| SHA256 | fe5ca5d5bfae9a89fc997324d568fb9b73ebc3801563f88b84009040f943c44a |
| SHA512 | fe6a553c440efcc89a984464848361b8f321f0e7bda9fcc82b44847d836585b3674044120314cd67b6b889ac6212aef626cb59360e8ad80d6318ca3625e1e5a9 |
C:\Users\Admin\AppData\Local\Temp\SUYk.exe
| MD5 | b272357f943748d81028959b6001fd32 |
| SHA1 | 42c7dc09ec4bedc320338fa9903a7d0207a9ce48 |
| SHA256 | 2e60439562fa15974631a128a8bfd06848f3638194cc0232842cc12ae60fd886 |
| SHA512 | 01974db0b8334ce6280d5d1f167c9d41974ef5dbfee8989770ba336696cbe5088cf6afdde6c9a7e9b06eea19485704ace686dc8084dc8d0946edd8c6cb0194d7 |
C:\Users\Admin\AppData\Local\Temp\ckEM.exe
| MD5 | 79a434294542af3b49ed1edb78a95ecb |
| SHA1 | 0261b2f6e155e9367a0001522ed218e7c781e933 |
| SHA256 | 361952550b507fb9dca795aed9853bbe4eb61b560c72fd0decdaa75be7290cb6 |
| SHA512 | 53f9ecc85c5c2425c29e346313a9142979e553aae310504fa45fbfa28656b427b18e8b4bdf5bdd68bccf32338283e2f222e4a94001118a9df7abcfb177b66a7d |
C:\Users\Admin\AppData\Local\Temp\EcQg.exe
| MD5 | 37c38595236706c07469c1ce45f655eb |
| SHA1 | 43a01e396f05b2099eac8bbbd4b824e108eccce0 |
| SHA256 | 1351114f22a8888796b6c22193090b2cb59da051f5d4da9e8fa71810f9b7733e |
| SHA512 | c5b30f91123d57f3fd9503ba0eec8b153a73b4c6ef356b587d57cf6c36c743442a2e76e6537abaeda86464c93b4be5341ae8a90ff687032e6d261d08e9bb3c65 |
C:\Users\Admin\AppData\Local\Temp\UKMk.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\CMEy.exe
| MD5 | f3a07c47c06e0f3a7b7bc04686db07c7 |
| SHA1 | f84c6ab920e4e56b0e8ee6f83b961722a03b434f |
| SHA256 | 9e1c4f3b6d619f6673b8913e2f8b4b6e14bfe950bf199c53611d192eac7d9074 |
| SHA512 | 0a72749f5740bad4ec650fb65dea8037aac5ce120e6e782300e0096986ebb3ba2cea89baafac0c971d0be7c0bbf1a2c2e17053acbe698ea458fd57ec1d7c0f3d |
C:\Users\Admin\AppData\Local\Temp\AgsM.exe
| MD5 | e4ee28fcaabdb0f5ab3e1df87d8cc405 |
| SHA1 | c4b1371658ab91a24f38244c28cdf0a599b20618 |
| SHA256 | 23688ae919530fd3ca87557a8444eaac3e644d61dfbe73767869708dbf0e6358 |
| SHA512 | 8fe3210aa973c0242b0056e629310656107c43dcaa29d9a5270bb66e07df37ec0cd35f56527d69cde9ef6e60d49954dcb9b898371d55cbfef98f91432b4dec62 |
C:\Users\Admin\AppData\Local\Temp\aAUq.exe
| MD5 | c3bc1bf4b4d7f1c62d5aa851bd328607 |
| SHA1 | b2b682e77677abbf256d647ffd0eabf7246f6a5e |
| SHA256 | 7306545d37555531953338c2055380c54041a9262d8c6b0497bd3f26f80cd69b |
| SHA512 | 9a8ebe016bfef4420f49d47c0961cec747f5aaec589b1f7afd4e525f9da449b200517a7867b3945cb780203fd9c2997031e497c76e5c35e7589dc0f2de6dc131 |
C:\Users\Admin\AppData\Local\Temp\ogcc.exe
| MD5 | aa1d8822967ebab42d2360692c6663f3 |
| SHA1 | 73d411e8efc6a4a2cf39142fbc204add19672bac |
| SHA256 | cd1e2bd5d6fdf5aae03d887146a012c8077bc08ae8e608d8f989ed1fa572ba2a |
| SHA512 | 00f04aa6abb2e35204062e0d749739a0b9e3b5acf1a642fd4e594110d1726e8ed1cfa36ed22c7e6140861fbb927c8d59e5086db0470fa38aba59773ea98a73f4 |
memory/4396-2177-0x0000000000400000-0x0000000000590000-memory.dmp
memory/3364-2182-0x0000000000400000-0x0000000000590000-memory.dmp
memory/456-2187-0x0000000000400000-0x0000000000590000-memory.dmp
memory/4444-2192-0x0000000000400000-0x0000000000590000-memory.dmp
memory/4456-2193-0x0000000000400000-0x0000000000590000-memory.dmp