Malware Analysis Report

2025-06-16 06:31

Sample ID 250515-hbgdzshp5t
Target 2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock
SHA256 2711846550c5f26660cefc9a0a3baf100a01492b5b7153254349dc487195743a
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2711846550c5f26660cefc9a0a3baf100a01492b5b7153254349dc487195743a

Threat Level: Known bad

The file 2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (79) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 06:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 06:33

Reported

2025-05-15 06:36

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (79) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\mIwUswco\TEYkoIoI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEYkoIoI.exe = "C:\\Users\\Admin\\mIwUswco\\TEYkoIoI.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YSswkYcw.exe = "C:\\ProgramData\\xwMUQUkM\\YSswkYcw.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEYkoIoI.exe = "C:\\Users\\Admin\\mIwUswco\\TEYkoIoI.exe" C:\Users\Admin\mIwUswco\TEYkoIoI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YSswkYcw.exe = "C:\\ProgramData\\xwMUQUkM\\YSswkYcw.exe" C:\ProgramData\xwMUQUkM\YSswkYcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YSswkYcw.exe = "C:\\ProgramData\\xwMUQUkM\\YSswkYcw.exe" C:\ProgramData\mOEskksE\YogoYcok.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEYkoIoI.exe = "C:\\Users\\Admin\\mIwUswco\\TEYkoIoI.exe" C:\Users\Admin\mIwUswco\TEYkoIoI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YSswkYcw.exe = "C:\\ProgramData\\xwMUQUkM\\YSswkYcw.exe" C:\ProgramData\xwMUQUkM\YSswkYcw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheGroupCompare.docx C:\Users\Admin\mIwUswco\TEYkoIoI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheHideCheckpoint.docx C:\Users\Admin\mIwUswco\TEYkoIoI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheReceiveJoin.wma C:\Users\Admin\mIwUswco\TEYkoIoI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSwitchReceive.jpeg C:\Users\Admin\mIwUswco\TEYkoIoI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\mIwUswco C:\ProgramData\mOEskksE\YogoYcok.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\mIwUswco\TEYkoIoI C:\ProgramData\mOEskksE\YogoYcok.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\mIwUswco\TEYkoIoI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Users\Admin\mIwUswco\TEYkoIoI.exe
PID 3408 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Users\Admin\mIwUswco\TEYkoIoI.exe
PID 3408 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Users\Admin\mIwUswco\TEYkoIoI.exe
PID 3408 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\ProgramData\xwMUQUkM\YSswkYcw.exe
PID 3408 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\ProgramData\xwMUQUkM\YSswkYcw.exe
PID 3408 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\ProgramData\xwMUQUkM\YSswkYcw.exe
PID 2596 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\ProgramData\xwMUQUkM\YSswkYcw.exe
PID 2596 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\ProgramData\xwMUQUkM\YSswkYcw.exe
PID 2596 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\ProgramData\xwMUQUkM\YSswkYcw.exe
PID 5544 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\mIwUswco\TEYkoIoI.exe
PID 5544 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\mIwUswco\TEYkoIoI.exe
PID 5544 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\mIwUswco\TEYkoIoI.exe
PID 3408 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4768 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
PID 4768 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
PID 4768 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
PID 3408 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3408 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 936 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 936 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 2324 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 5364 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 2324 wrote to memory of 5364 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 2324 wrote to memory of 5364 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 2324 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\System32\Conhost.exe
PID 2324 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\System32\Conhost.exe
PID 2324 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\System32\Conhost.exe
PID 2324 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 980 wrote to memory of 6132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
PID 980 wrote to memory of 6132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
PID 980 wrote to memory of 6132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe
PID 2852 wrote to memory of 6020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2852 wrote to memory of 6020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2852 wrote to memory of 6020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 6132 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 6132 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 6132 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 6132 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6132 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6132 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6132 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6132 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6132 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 6132 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe C:\Windows\System32\Conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe"

C:\Users\Admin\mIwUswco\TEYkoIoI.exe

"C:\Users\Admin\mIwUswco\TEYkoIoI.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\mIwUswco\TEYkoIoI.exe

C:\ProgramData\xwMUQUkM\YSswkYcw.exe

"C:\ProgramData\xwMUQUkM\YSswkYcw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\xwMUQUkM\YSswkYcw.exe

C:\ProgramData\mOEskksE\YogoYcok.exe

C:\ProgramData\mOEskksE\YogoYcok.exe

C:\ProgramData\xwMUQUkM\YSswkYcw.exe

C:\ProgramData\xwMUQUkM\YSswkYcw.exe

C:\Users\Admin\mIwUswco\TEYkoIoI.exe

C:\Users\Admin\mIwUswco\TEYkoIoI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIAkckUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYwQcwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqYYsAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKcswMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AacYsIws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TesMIgws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUAIYcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOQAsYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sikQQYos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCgIskss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQMAkMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIckEksk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUAcgsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIYIIow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAYwEQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgQMgMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hsgoockg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMogkUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcYoMUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGkUAAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeoAoYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEAEEUsE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAIAgYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQokggQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAwskcss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGcAkwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkkIcQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuocMssY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmQwUsYo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMUIoAcM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iewIsUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUEksoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEQUEQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vosgcsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMIocIgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaAcMYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWYgwYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUoMYgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqYYokIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGUIYAcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykoQMkgY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiAggMos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCcAkwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqAowkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsQgYwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCgEkQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAMMYIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMAcIokU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqEwIMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUUMYgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
DE 2.19.96.128:443 www.bing.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
FR 216.58.205.206:80 google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.205.206:80 google.com tcp
FR 142.251.37.35:80 c.pki.goog tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp
FR 216.58.205.206:80 google.com tcp

Files

memory/3408-0-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/3408-1-0x0000000004850000-0x0000000004870000-memory.dmp

C:\Users\Admin\mIwUswco\TEYkoIoI.exe

MD5 b0b801ec0792ad456dde48e7ec6188bc
SHA1 cf3edf5a732ff43db6fcec7ac9ab8bff80dc4712
SHA256 1f83ccce3f19e3069b3d34fa550deb55a0f4e29f2a77b8bb009b08f66556f558
SHA512 3a7aee00139d01e79887eac8e3b9b57f7697a40fda5fb233f920e8b26999e37bd46d9b6cac745f1db303eff194849a2fa2c8b9fa3e707a5d1aa3fff4c27da161

C:\ProgramData\xwMUQUkM\YSswkYcw.exe

MD5 6d23a7b8005a2a1f8a0618e7199941d0
SHA1 276476550ea623bab9b88c2a001b3adf2f233434
SHA256 911c3bdeb1a9ea2b1133c3b797ec765f69ec353fb2b9390caaaedb7da90df2ff
SHA512 2038a560cc5cde9ef4e23773e6762ed3ce6c8bc026e56ab485ebf91fc532ca0917d1dbbb77d242f01779aaacd8ec68add92675d195e2502c08a3dd1a853fad80

memory/3364-14-0x0000000000400000-0x0000000000590000-memory.dmp

C:\ProgramData\mOEskksE\YogoYcok.exe

MD5 4b83dd5c9e25b457a68e564341758b07
SHA1 f925ba7ab7f18eb7ea1a9f4034eccc1ba697bf6e
SHA256 d974b1d89dcff1a67e08940abba0d0805019626a8ec31d29212ba824577b8148
SHA512 23cb7fed8b1d1953d44b828c06645724dc7c80e7ce28f38f7d5782906c9dec1bda178cc5a10bd694196e15433aaf468679da8ed957fbaf2636e03ea2527e57f4

memory/456-18-0x0000000000400000-0x0000000000590000-memory.dmp

memory/4396-10-0x0000000000400000-0x0000000000590000-memory.dmp

memory/4456-23-0x0000000000400000-0x0000000000590000-memory.dmp

memory/4444-22-0x0000000000400000-0x0000000000590000-memory.dmp

memory/3408-32-0x0000000004850000-0x0000000004870000-memory.dmp

C:\ProgramData\xwMUQUkM\YSswkYcw.inf

MD5 014931bb8fb0ce3b85644602e6b5672f
SHA1 48a55b1dfb78a826c38717144b48e8ec1a14bf8c
SHA256 267d9402e21403c7efa1faf44a5290c34ae6c1ed4d2b2a8e396f691731af5ff6
SHA512 47744de95587a69c636570155f093af35528e7514290c6bd1d49ba893e201820aaae1fee04f82adbd6ccab6c0d268c96fbeb442a49c2d10f755e62f0231572ae

memory/2324-31-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/3408-37-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\mIwUswco\TEYkoIoI.inf

MD5 eeb9d09cdebd3b5ea7907b5534016bfa
SHA1 ff279fff6717c37be6143b3928f31b3e739b55b2
SHA256 22da06bfcce3fca43dffb3659c97eb27b5f7c5e7ae5674cb2bebef16ab5cf32b
SHA512 dc17d996bfe04b97adb96c705916152e30be79d43a6f53d207fe799b530a609688d6c4fc28c218cf78641f330ba197e73b55fc2770ce81b332e0451949e36cf9

C:\Users\Admin\AppData\Local\Temp\CIAkckUk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2025-05-15_773a966407bbea24239233f52d002ef2_elex_virlock

MD5 ed7702573c750ea627dc5f620e3b64fb
SHA1 7affe46da633cf1bbe00640c105f90bfb8af455b
SHA256 b43e03aba20516081d8a94f92381afc82f836cca08a267f9fc51345305a4dbce
SHA512 d206d094feb81186c31db9a603bf6303417e2b29082271049fa217d0a454d51dcdd3aae13b33a472663b4351ccedfccebe05c91e5d1f343cde5897d1bda6ed65

memory/2324-56-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/6132-57-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\mIwUswco\TEYkoIoI.inf

MD5 1a0c48ffc9ccb306e82062e97adf427e
SHA1 91b2dd2ca6f2eafc58ebef671522973ce479b81d
SHA256 ccde113bf3a12cffb2d4783d04665ec3a68ba32ecbde00a9062562240931ad83
SHA512 61a71438dd38dd43f01e0eeeac3ee14b422a444f47e02afb905f8629b001e6fad7c0691341e153ce2a3d068427b6faa92d3d1119714f878750c81bd0f6510673

memory/6132-76-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/2884-77-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/1820-85-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/2884-89-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\mIwUswco\TEYkoIoI.inf

MD5 5b5c792388033c22086c02ca656dda32
SHA1 253089d7383baadc3fb49f35c8ecd0136428b0ee
SHA256 d06ae4c0a989a5b65ef6d12e223ccbc0260720b60d7f94254b2e83cfc09c079d
SHA512 b9d4a0673164f343b26bf0e2dff81344b36115d33d3852c3933c60c89a41d9a937d559d8cbc105a2a3a8b76581b3e3d269376f789edf5712d02271ed2e62843b

C:\ProgramData\xwMUQUkM\YSswkYcw.inf

MD5 c520eb9c105ef1c0f2544a3931746416
SHA1 289d4fc88a26b7fb84eabc4f7ca03a11dfc9062f
SHA256 15ecde8ca28ab9de66b7824177ea7ce58ad1e52a68699b2cf480ca73607ad7b3
SHA512 58bc447cd97e77095f2a6b64e05707d66e352c3132826a56e8672d769c52f4741b8d25c55928359ef201fa789bd7930277d675c081fc4671e882e9d70439d0d8

memory/1820-113-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/5528-115-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/5528-126-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/452-128-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\mIwUswco\TEYkoIoI.inf

MD5 3b2db7903e96d957a1af6aab384dc0c1
SHA1 85308b35a36bf0ccf79f18d15fc66b08d3987c57
SHA256 801041f536105739a63434d461636a449d7a7e6cb33ffaee2a562399112780b0
SHA512 c4e2846306f8fde288ee91b0d3234ac75f1975a06a7d55b105e6211f32084340a38d713f43b1f56d8c01bf21352bb13056495615695a0ec6ae24bc92226c7a55

memory/4396-140-0x0000000002200000-0x0000000002220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iAQk.exe

MD5 71ae64d8a3e34507baa06f747f68c76a
SHA1 60f9967d2bbb874a2e2e8bc2a2ca47deb39728e4
SHA256 e6b9baaf109f5590fecd5e14ea50f35eba8d49fdc11fcbb17bb003498114d468
SHA512 7e4821765c5b3f49b8792ffcbdb9035ef40f9c136fe96e64a1f7398d2df1a1eb744a3a77158f17955b47ec97baddbea97771414d5014fa08036370258c512418

C:\ProgramData\xwMUQUkM\YSswkYcw.inf

MD5 8815b7cbec8eb4c6402bcd97e0c1d748
SHA1 1fccaeefe09e3ac1697ee91af8732bd0021ae6c4
SHA256 98cde306ac9589a3a2e56eb3977735b0d513c66dde98114b6f9ed66579135386
SHA512 25dbea86acae54361785eb7450094c2479274b47fa859783d464dd6e19a6fcfd1b32c8b07a9a4323aa0cd402bcbade7daf3ee822bf7d038ab0cb82cdc894b911

memory/4876-170-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osQK.exe

MD5 a0ccbd48a853876be34e5c88638544dc
SHA1 1399edea2e33af54dcb49e8fc921d82f78356bd6
SHA256 ef2dd57a76ca2645b87353120511c505bc5f79301167f4cc96decfd28bae24a9
SHA512 f2bed088b4a1a48288bf31e4065428a7e52d905cb5868d0302d8836f9bf61eefc5856ee05e9754555e91bfeb8ebbfec623970877109c79e47f64025fbd8ef077

C:\Users\Admin\AppData\Local\Temp\YUAo.exe

MD5 57c49d6be3b210ecb50af3ac97d359aa
SHA1 5921bd29ec1c5596c44516a26a73188a131bd4b4
SHA256 754886c5fac7a17b00bfa03af5111ae1106c10b9c4ba084a90660840ee37efdb
SHA512 acb4bb0fb2d691cbadce20c77dbfda1bce10ae5f5522dae81bbf28d477a1100aad0c481601154357c4c6308c0e546bc320fa4ac708313a8f97765db3b3a13f88

C:\Users\Admin\AppData\Local\Temp\GQsQ.exe

MD5 3a4f444dc348a04cb65945f243b4b366
SHA1 be28a88f01d6a1debce20e4d50f9145ec5e3bf5c
SHA256 deede63dc3f49120512c5a52af970ca554ec40c30e7e33dc10c8c24f258a2204
SHA512 4c971d697745a7bc014232ebdf5abd8c090a9de5a6f03c6e7a25b730ffa0434e10f4afb958cbea3c0b77af6723863e0be8c46b97fa1228c6343b53e5f9769f2a

memory/452-216-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GIYa.exe

MD5 5fe24d6ac12df3b6eefafee909a1c1af
SHA1 3b3515d3e4e6cd830ac190a2f2a3abc5087d5f1b
SHA256 5493affac9e7eb85890b3345cfa20210dfb89d9e10a319b7c50b96011cb25cf2
SHA512 71e4a912c3269bf5b3739aa0c06fe329224f2f87720dc1d5b0fdf4c271cd117932c77967d54f3e0bc8780e5511097ad1eba3e884c63960ee391718f7d7cb2d38

C:\Users\Admin\AppData\Local\Temp\KYIw.exe

MD5 af0a3952c917e08b926bc802f2f2245c
SHA1 d2cc0e9b1493de1c449204f7b23ff835dccd441b
SHA256 babf1797d570f11f1d9d746e3f4e2b76f440f28cb8a5ad4581cef369b75fc06a
SHA512 98f16b0295633a28fb6f521a0eee2c953136038dde706b4ba6d2a540f9ecfb806dd02c9ed86f03af659c1d620ebe580e38d69490ace905b39484f666218d06d8

C:\Users\Admin\AppData\Local\Temp\AIYU.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\UoYu.exe

MD5 fd9c37584baa68ca75e0a597052c8bbf
SHA1 3a3e698fc622f05b52ef93ae1229a0553f86e022
SHA256 840574e6233596c32c39a973393cdd6548d3ea2836d06beeb95479ee27629403
SHA512 5fc435c73b8fe86160e4ebe92e06cb43db0daf1aa330c0a37e7e76606025fbed38d73943227d19fe1e3c2a38c89f84c41356cfd29bdf8f7fe349e381db121857

C:\Users\Admin\AppData\Local\Temp\gUMm.exe

MD5 0aab9908c6d634dbcbb077fadd93d745
SHA1 ad3359c3fcc2f23a776ecf956b70cf5d205841f3
SHA256 ce833ba4b150c50548e7f48c34415530207a115ab8ae5387cfd08733289ddd8a
SHA512 6374c7443dedde54c6a949fd5cecfc921cf6ef859668167a0f1e0cb52c7f8992b4febc86270564f971cd59f78ceaeba1216ef7105673dd8ff51f62b88792e4b7

C:\ProgramData\taYs.txt

MD5 d7c0d67e615c6ed1096bfcf9d77b1ebb
SHA1 69b484108ea0d596c74b917c09c6bee991935191
SHA256 37d929b189f51d7c55575daa0c6d68c6553fbb0c9679acee29401c5388c8994f
SHA512 694594a338cfce3fb444fc7f202b54ed340309aa9b352ce87aae611c1750225a42986057b45974dc9e326c622eea2951fc21221075e88fe657161ceab4276401

C:\Users\Admin\AppData\Local\Temp\QYYC.exe

MD5 b8ec53ed609bb51130f349062bfe0060
SHA1 b51f70f86439e5f319463e17513899abba564c6c
SHA256 6a4a59638a3a64db0fe95129f399d77b90be89d50e2f35e955d2ede94c8ab620
SHA512 730213e793c14480f7e6d39a76fee887f24badba2d9a178184b529dcfaf6d63c47833d1ec2d7440a794f4c22e928b54654f3892363d7eca14e933661baeac1bd

C:\Users\Admin\mIwUswco\TEYkoIoI.inf

MD5 c1ff0087706dbd64f31d8d1d110a0b56
SHA1 1d27f900d360d7fcf08e4014390c658f4b3b9ac7
SHA256 7c57c538043626724b7b5eeb326c057d75ecea1c3e683cde91c255d921a99996
SHA512 5218c51f1b2848604862e34af940dc2a5bedd5d9918d1d9248ac563fbac5a0a8e67d53fb56da185c0fb7ea27ad2fa9505fba5007adba979f4e0c690a01ff4c76

C:\Users\Admin\AppData\Local\Temp\gAcm.exe

MD5 42b7ece14c644cc82e1fb794ea850e80
SHA1 f3f27c0796c64d567a2a633b1a80453338bbe59f
SHA256 7068190f1d241eee2f736f80405675eaeffc741427748dc46300c2cfb986c6bc
SHA512 4daa788da8f4a12b61c4c8b0d7547700865e22fa0cf787ffa192fde9e18b1466583777987ed6cd8a98596f13c2ee6b8089b8fe5bd857ff803ff19ede4dce8198

C:\Users\Admin\AppData\Local\Temp\sAIU.exe

MD5 983767cb6b0a6f0a63809ba44abe95d0
SHA1 8d9d412a283d21f0fe8d91c1d846cfb2c948dbae
SHA256 34d45e2ca592986d068b6ab5048f0d54579c707cd7f88f43d89306e2ee92dae1
SHA512 a0185a5bc54b250381667f149ab1d381f6a954df3af68a3ae6d651b953b4fa9aefa5f37108b20330aa8371a54a52cda7bec72ee57d822314fb227f439dfbf2b7

C:\Users\Admin\AppData\Local\Temp\aYUG.exe

MD5 16fd6480ddce0e576291b860515b7766
SHA1 a7aacdab9bad26d67829fc569b39d2a25c6aa3bd
SHA256 ae1aa9b669f10951e151aaf65f78b915a8ed2fd63b6e2ed45bef98a241a8f43c
SHA512 f5aaaf8adeb2642ea34632fadc3dd8187827b8b3f6a52e67f4b389fcabe8c8dda8a9b60ef30ae1da5e66c696d6bccca3c3f9a53fb022d3be486420ac61893952

memory/4876-343-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IcwO.exe

MD5 e74ecc560e6df1b53d5ace7fa6daa2c8
SHA1 54308ecd344a73f83fa9a6f5224f8ac4ffc464ff
SHA256 7b3fb35946c7f7ed8ecacac70492df3ef8cc71f03ca1ccae6067cba1dc09332a
SHA512 73670a5e21f553c6da8a4e6e514ce64ecd1fd6901d0124ebe74abe95fd426ff07243173d753453cbc7d75b1599b9c5b99d71640af7a29462fe858dd031fff7b2

C:\Users\Admin\AppData\Local\Temp\IwoW.exe

MD5 2e92007e392954adbcd43626a427126b
SHA1 7776fa845b2dcf22a4f75bcd138140b1725a2592
SHA256 52e06ecdac460b53a728e6bfefa42a9a97739e7c6ff8cc8c64b8a18b0750960b
SHA512 8c51f0a767a13447e11def198186eda9328a43574d3f483dfa6fb92fd4623fc346a2951143fdeb0fbd4ebedf975336e3dc95af2ea3f104122b7415f8b8bab71e

C:\ProgramData\xwMUQUkM\YSswkYcw.inf

MD5 880ecc98a8849fc0d6dd35969d97fb7e
SHA1 d4bf73b15c86c456a7f36f11dd98e464370a759d
SHA256 df20f24226019446bb6fe160ac0f6a7e16edbb0eac4324cea243b3744dffd86a
SHA512 6190c40bc31600ee5ea15f532f88c55ab0e469ecd240d590457602255c1b15e50ecb4bc522f52a41b0c719fac5f4732594f5eb83fc5cf25ef3da5fdccabf3d47

C:\Users\Admin\AppData\Local\Temp\WIcU.exe

MD5 91e56404ee6454a7c4015bae9fa535b7
SHA1 fd651fcdfc66b5534d8d4faef4785bdaf4425994
SHA256 3300fe636836e9d7196700db75efa5eecee1540019d7881b0ba2f7bb7ed654fa
SHA512 63370956b77294f39120744540774944b345a4ce8d79382d0be7c406c419251bc30abb9152812876bf13e5a7713664a90106e1911270b0db9f098858f8c560f8

C:\Users\Admin\AppData\Local\Temp\qows.exe

MD5 4160abd9d0f91852506ecf9eee23908a
SHA1 c979302be38f479852777efc152e8567ff0eb41a
SHA256 5363e54e6b2a8bae4fd37caa4e1a1c3e34fa375f2410962e1e421f61dbd4b110
SHA512 000a8b88884f532a0faecabf3d50c2002eccddfdd0489cc003c103470c2af2236f54ba8f67600a9388e60cd977e7857bef7ee63506d5f87f3db2ddbc6135f9ae

C:\Users\Admin\AppData\Local\Temp\YAIE.exe

MD5 abe1b37c2bb43c5ff54f38b46f7f7c4f
SHA1 150d28f741617cf173c75e193716f3db385ed842
SHA256 77125d5993168b58826bd0566c266b0817aced1283e71d739ac47b59cad03775
SHA512 3d0d6eb7707424c2310d462c2b803a30727b555c45e62231db673afc21cd6029d4ecb42ff5537566850654ab6ae5ed012f972d3ac6e63c1b69ad6197f6b703e2

C:\Users\Admin\AppData\Local\Temp\EsIa.exe

MD5 32fecf95e5560d8a91960d0c658fe69d
SHA1 1b0a3c4fe1bb03ca31e3697a121ab5c0b737a60b
SHA256 1946b0ee45f3ab29622317cd56bb2979d193325575d303d6e80eb5807fff34c5
SHA512 7013a9d24718b763b8536f728c6be94d4ca49d6738b2aaec124b53ac0e9a315b7f3fa0de1b418477470ffa9da8130f00f20ac7d17ce639bba45df95ad178e990

C:\Users\Admin\AppData\Local\Temp\GkUg.exe

MD5 09ff86c8ee0da7c8ae2411b6f07a1922
SHA1 6aef6cd5a3a5b19daed7ecd8573dc22897ed8190
SHA256 a1f1c1d68763f1a0808d7176160dfe0783359f2b6f36f2509b42d3cb861b165f
SHA512 bbf3c5107c63f0f274883dd131361f31f3edb02bb1eb873b993218266bb06a28621b68727d88accc5f0439f5dc8e6e8a3d4f9b1f92debd585bc7f0eea29f17c5

C:\Users\Admin\AppData\Local\Temp\coYe.exe

MD5 1f7496b9efe46a85993d392737748e28
SHA1 74a3a07760bc7305408ba3a0baebdf8eed5e981c
SHA256 81348ee7be684771e268ee719b23428e33827b13b72c2bbc6293c0416d0004db
SHA512 e4918707a380701e32ddd1ce4ae5a481eded3d5d678416806a83bff7cc81a7a95e61959827b971cb69f613ef329af4364b2cda1c4034601db7f87f75410097e5

C:\Users\Admin\AppData\Local\Temp\qIsA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 6eefc14ae7814d8e84ed96625f82b321
SHA1 97753c401fd1fce557e2f536b1c048030accd651
SHA256 7051f41d11246516c32710e32d0721343f5014ee8fed898b936e800c4e93b2c3
SHA512 dc7aeb07d36d78938513528c2694253ea2d612d270c326e24c1f102c821fbfa1244e220fcce62e37deb414f47b70a4a78b2a188916f82ec837b7f639421159a3

C:\Users\Admin\AppData\Local\Temp\mwQC.exe

MD5 9db7fc408b2d2fe808947c88570f2a51
SHA1 cc2384e748aaca62c20929ba3e8b1c23fec120f6
SHA256 bb1b679c8517f50964dd0b0284f66d4ea8ce97cf0b846d76e315c573999ce6ba
SHA512 6f45f8d6ddde684430a7465d0a75e280c9712df6dd36fdb0b0f3ad3e22dfe48813c575376a7df354e4807ae2036875a546e5f3bfd495634acecedd254539cb42

C:\ProgramData\xwMUQUkM\YSswkYcw.inf

MD5 2b65049894a14012541286fb6c94d2f5
SHA1 ef38d4e1813774a24ea689f499eb3ca1e65853dc
SHA256 0baaa92c5a4b95b78ad967a2cae9d676acac4ac5d2723d08158a1ed760921f32
SHA512 e2de5b1afecd59ba95214f62f5f05f5ac109d2ce267d6d85dcc3c4907abdd2f6467279f2a9824a432e07b5ea3a1f0c61ab9cd2fde09e06d6c60ccf39ed6b4d28

C:\Users\Admin\AppData\Local\Temp\mQgu.exe

MD5 ee8312a2cab48aafa15ad977eb9f4044
SHA1 b36f0851da5f693d2cc500d0f37cd053d3254ef4
SHA256 6bba3b61d6f5761dae73d77c05c3ab042cbb897dd75e015c4706dbd382b1bcb9
SHA512 431e67c351912d605231533b462fc9b88c9e04c1dbf7093f057a1360a63da92e58cf63ba9f0cb42f0f0cdc93cc18ff25576442ab2c934c980083751fd2c4d284

C:\Users\Admin\AppData\Local\Temp\ggAc.exe

MD5 7630fe80b7301d48aefd48ea2dce318e
SHA1 0d86c59bb5d1ce0b54318290bf007fbad051c57f
SHA256 dcb4855c7158b7883cb6bd2687c320296827123cd0e8510ca40e728a9363081f
SHA512 50aa85533cb9aaea6c0c0a36daf078f37346eebd2feb90feda5c85496dd206103828e03e4e3eefc0c230131cab424b9631e328bba9b73f93bb940283e705139d

C:\Users\Admin\AppData\Local\Temp\KUIE.exe

MD5 c1eee75d0a9a2a040b9244e17374a1d9
SHA1 0736fb2431e38a1def178cea83fea6358b66a379
SHA256 67e351a587afc3f27d910386bfa8131bcf037810fd37c38ded3fecb050783b96
SHA512 1c226f625639e7cf62c0e8f95accc261833cbd5a1263276f35321669843e75d14c0b37f570319c88e801b802f9ea0d5684e5769ba122ebaaf3baa479d1c7958f

memory/5152-560-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EUsq.exe

MD5 0613cfd66e1526a886d0c28c0612c3d7
SHA1 7489da403894dbe7519c5d8fd256e8da9e4906bc
SHA256 ad53fd0a804d81e07eb38c61f0c3ec1820e009922038f4001920c1a5768a6a54
SHA512 2ccb1a91906f88183169ab3bf322f01c7d48bacf4ffd6ffac827f531370c5040a979838db9be5ab0c13718c2084f03a38e5233d93468cea7c9733a195ee2bbac

C:\Users\Admin\AppData\Local\Temp\qYwM.exe

MD5 c867deb62b3fcca358eba64bde4a1382
SHA1 099b36eef0e18985c592ef92874be954ee6854e2
SHA256 8ed1ad06c4b2a6c7253c4af2203be30b3fc06b48c4997e8dcf2c754c2ac38506
SHA512 ef5b9f5bef8ab2929a6565c915022f4b0047e8532b76fac4bee5e8478e3f4c97bb5ffd0e7697bde250415782da948fb4b6398808b4c57bfc7adcff70c5c13f1f

memory/4716-576-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\skos.exe

MD5 d5371a8cab18eea58dd46879005f8dcb
SHA1 7d565223a167745b5ebeb940f1ebee59bbf793c6
SHA256 55ec821e107f005c6df0b965480c74b6667f208bdabf0fb54c297cd6458a15a5
SHA512 89484a71c7bf5ee6e76c3c86ab9bc125b886d07a07bd544e6ede21fd9ce342f09a1801882329036262b6311715c7d27fcf4d97219d61a75cbc32737955676131

C:\Users\Admin\AppData\Local\Temp\oAcm.exe

MD5 1d10b6f0dcc283e7d383718b62c5b8ed
SHA1 eef90a37bc8c202487a19172bff0799cc64b5c96
SHA256 ecb232dda945cfece5e0627bbf9a7d9c9be03ee46ba61fdba77b72a4a685cef9
SHA512 12abd1ef1549824dc0a55b41eb97a7e7e46e49f0143e41f0cd2565cf28806db85b4462bc3740770013fd37051620d5dab02ef673350b4316f8962dfe9f9ec756

C:\Users\Admin\AppData\Local\Temp\yIAc.exe

MD5 4c7a2a455b09362411b915eef2e1ae95
SHA1 27e4f92754a6503f9995d5b6ecfff5a36e3d3218
SHA256 9b6136691333f1b6a4b06c1d32c5c28ac9ade33dbb7aaca521ac8c28c7c5da22
SHA512 b4f57fd7e7574a2a6735f6956e26d1639fb6d95aeb839c8830c38ea767e69207daef7538f0e9bcefcbe70823a604029fb323a46fafd451515eab1274b3c7a3ec

C:\Users\Admin\AppData\Local\Temp\awYS.exe

MD5 0a58fdb5526abc49f946a79e284347cc
SHA1 52fe176bce49f7e435495b0e4dbb8103793eac86
SHA256 fc7fd612122b94453c699e1fbc892eb402eee13c3cbf199bb2b18ede86d940b4
SHA512 57ac48394b30cda5014a928285badc0ee4938ca9ae95691512707897dbc32467cac75e417f89774b88d87ab8c036af45c0f13a1b0a7f3064ec2f19f4f5452714

C:\Users\Admin\AppData\Local\Temp\iggi.exe

MD5 900430f5d5b1138e71ae027f9ca61610
SHA1 86e1e1324e7a43c71bc1d6a94946175a4e79a06c
SHA256 01d702e1d5796e5a46d61ebede5e3f35d2fe5e293d2911235205ffa9907bdeb4
SHA512 c34448b55e0b52b170afc0fcc99610229023fed63a64596dfa8d268b0c5a18a45cc3c855ad7b3a5916a99e2067a6e6bb9f72e009b0a4c5332a15111e6e3f1142

C:\Users\Admin\AppData\Local\Temp\yUMu.exe

MD5 703bb2dd802ba2ac59b5df3a81a36a74
SHA1 672491fc2561b3678450c8c1aad7c327755f8c67
SHA256 73c06df4af6844affa852d208e9782093c8361f93a4ccc7884f9ca00056a61f6
SHA512 b461604afcb10bb63ed7bd3e859ecdfcb8d32b0b4d69d9f205984c536bca1ca8e3305b531205ae6d8077e1083988e0d7e62acb4facb56435d04f89c9b19a12e3

C:\Users\Admin\AppData\Local\Temp\CcQs.exe

MD5 4d2be5145ff12c14a6b8d2f315f3fb27
SHA1 9796a9281e72ed8a674d689264b4a375e56db97a
SHA256 d1550eed84b08e83fbdd4e288370d26ca9287e808f2d6b6298ef37151af49f96
SHA512 5ed7d332ceea2c31a70f2cb7893bc23642912f3e241388def0fed263be6043527eef5e6b6643bded0118c0883fdcd44d81ca0642c97c07b51ccd133bbc0d7759

C:\Users\Admin\AppData\Local\Temp\IswY.exe

MD5 42b608eb618fe29b80a82397b1164149
SHA1 11547264803551ada5c6eb21daf6381177b6f637
SHA256 d831ed55ad5ea106537498f44801f9069b9d708f3fe0061bb30c83d9f664d44d
SHA512 d3c6504da402abe63c3d4d796f0665b204db3948895ff84fdd63fed3c8ad827be48baede8fc203c5b16f777dd4fc74b6bfa854936dee9ceff42d1cd7975a2ff4

C:\Users\Admin\AppData\Local\Temp\kIQS.exe

MD5 064ab0ec6b88242cc85f50ec3da6a072
SHA1 ec086025d3e542199098ef1453f8c4e663bb894a
SHA256 d37c032c4baf26882ae975b11496f2947d47c57b6981411abe584abc0871c764
SHA512 2ba9218010fb63c38d2388964cab55eeae90bcc03c6cc3f9ce276f476728f56536bab348c3435e12a2e42c3788ea0baaba6159e6afcef323c41e7ece9e4ae743

C:\Users\Admin\AppData\Local\Temp\Qgsg.exe

MD5 4335e05bd598c82361d204d6279c9045
SHA1 c33891cf1d05d4d24f9c429b69df08b3387787ba
SHA256 6c56b73c1974b8a1a2a7b42143856bf69e85bfc2038871b876812a086dc104ee
SHA512 e8a7439d7469d0f1dc8257eb2a79b315b7f4df7884e7a48aae6363f7c3d215d8fc79d276bd324f047612549366f1550a5dc749ade4ad152e93a0484351184895

memory/4716-768-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gokO.exe

MD5 40ca4508170e5ba22fa5cf1c9714225e
SHA1 58345694540e52fe7c56445d149614bbf589cd64
SHA256 47c803f3e7f35413c2a74f37c246aaf4adec74d958d55b797073e9bc1076fa75
SHA512 4fb3d01352c31d2fb42ac9108703c14faf5b086637f91dcd4e3988293e59357aa71cf3cc0f1a2f22474d2f731fed1f61dda659e32b696298fdb34b6466bda078

C:\Users\Admin\AppData\Local\Temp\qEww.exe

MD5 281cbc4bd5c1844f3937b3da767e5d4f
SHA1 1b98efa3b0cbcedc50279b3c090693028e950875
SHA256 b0c7b352ed4bdc2d40a39c51552dd185bcfb9c51dba5aff6483af254dec1e562
SHA512 c0de960a375cda790edf4d63af69c0c028e81f7e4eee0ff4be6f38d69a99bf15a2bf1eb4eb753f8580c2c4bc6fb08309e235f0355b0ee6d2b06b46f787f70241

memory/2036-815-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GckE.exe

MD5 0e654a3860358906f7d1b4fb8daeac2d
SHA1 a3fa7bffc3d6f06a3cbcfa82acbf10b8dc13e4e4
SHA256 24fe687b60eaaea387c6a409b04473f58c6e37de6aeb497dfc5680f16c049a4e
SHA512 b5e6a990553636e10a4c8bfc4770a73a9befc8734b1728f9dc8cbb015b920ad776742e768e65d0de885075cfcfbfd78c5d23580870c86513cacceb172a58a710

C:\Users\Admin\AppData\Local\Temp\KYMm.exe

MD5 42eecc135a508b6c0d9cbdbfbf5084de
SHA1 7d5c63d9ab91ffa753c1fb87160f4f2780109867
SHA256 ee4700386e2f9f79da7ca420b0c439090d1a92b657bb8e25e5f8fef2bff8577b
SHA512 5a2d6f9e1e876d8564fe2df0f20405f576dbf65c2fa7e190d0bf2d3c969cbb28c1efb896af85384af8a0b7d739523d56868e060c4ad280199dab35799344638a

C:\Users\Admin\AppData\Local\Temp\eIMy.exe

MD5 eb8cf1d2defcefc543facad309385e0b
SHA1 b6e6bf9561ccdae63f9852ed4f49787482fc327c
SHA256 e2a181bb11beca44db7aee053252dd3d10459c125c6a668fce76e3503c8a9c54
SHA512 28fbab54a9e3afa4802e914485e81fd016402a768b5490ae955db22ab2b045ad293e920d79b75543bec788a3c5dc410447e63665522da1f805034b67abc067aa

C:\Users\Admin\AppData\Local\Temp\KUUc.exe

MD5 021218c9d136c738fb3664e8924a3cf9
SHA1 2125dbcf24ba6a04e67063a0ee014f6533d5bec2
SHA256 37d794dfb526b93a05925540dbd9d081624f04efa9a4511081de5613e289c493
SHA512 e77eed84e8f799966320ee03abc5c28ae02c3d6d9075b711f70a17a0f80f6e1dfc9dccf0112fbff105a1bb4266e5e7bedea0f2cf4e5c255456cd7072617fe01e

C:\Users\Admin\AppData\Local\Temp\MMgm.exe

MD5 fcfc674307cd7416621825c93dfd0425
SHA1 db7c86f39f11536cce27fdfa8b0cec7b41b9199a
SHA256 25d0cea7c98d4b1aaa309cde35ca86ab866cc17eed99114876092709b23ee018
SHA512 1eb466582d953f0995c95f3f9ca534d5e884ecee2a9cfbfe0afd092ca4308e99af3b1e826e0d12eb0051db557072e1e226862335058eef7a5a427fd04e5018d9

memory/2036-886-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAcU.exe

MD5 53e9ed8e94a8cc7c0e2b6dec7a9ba131
SHA1 6f0ac20f201272dbabf93bf888e2e67800ee050a
SHA256 134ef7f6a792129b56eddc188551112abeec5d0e7417f8295553f004fb9b38c9
SHA512 cc0324979b6bdd2e113b46347918f14b79a03d3dbb3d19a13f409bcbe4f9b5e9c9dc4fa02c4129cc7d6356b075c0e60aa59d74565ca4aeed8a30677de8932804

C:\Users\Admin\AppData\Local\Temp\YMoc.exe

MD5 263f59ae0b327e740233480d7ace3bdc
SHA1 e5b707061421deaebe45cb7a9ac008b24e8046e9
SHA256 1554d0d4d19d59a85143ad2d45262197793a37ede53707743d144daccc3c9172
SHA512 914346bbd5a49714ddaab628223bba669d7f474e4f5ec747cce581c9b0347026306820c2811d2cabdb3a3405a0d279bd7b7c827f697301dac95e6403d5a2db05

C:\Users\Admin\AppData\Local\Temp\swwM.exe

MD5 6019b356fab3104e5f5e548b3a71f019
SHA1 bb4cfe02da653b74e0f414325c4a7e24dd908e75
SHA256 bd3d508e67bfd26c3623e43edee668c951273d4cb40adf840fc4f96cb1922904
SHA512 2c2e7be6dede67081eb892afb1ae4cb4dc91cdf593d96eb17dd817933a67cc43c2d3b42ce4742ce1ea077b349934e9322cda62029053d0236647fa2a9151bacd

C:\Users\Admin\AppData\Local\Temp\ysMm.exe

MD5 8d65551cf07a1ec722563d3c72d5c2de
SHA1 02a68fc666e6591994610babff1566fa3b511580
SHA256 1f04ebf2b3405cc214051ec9967061759b6eed2e8ccfafabcade19ae560c413b
SHA512 c9e12e8579b2fba1f8a0dc4e8a52587c4cee9717c8b5ec4079b792401ae9a3cd67f0e2b261445a399ec31be8f08cdb076175423287c383826e89cae9a151fa19

C:\Users\Admin\AppData\Local\Temp\yoQe.exe

MD5 ac52323a828ee1568c646250f8ff0f22
SHA1 a2f268b5271c97f5de86ea8db5eaff79c32bc726
SHA256 8fccdf8218c7f18ae5679a711cd3afc57d8eb89822a26e38feba04f34f0cf9b2
SHA512 bc321385d7de7c1b9b67ee691f2e514b9713d1b6aedac688ab7a7bd26438abd5c07ec5d7f966e1b9ccbd974de52e15c33cf45bdf055eecbfffa305e3188eef64

C:\Users\Admin\AppData\Local\Temp\SgMQ.exe

MD5 5208f18af3f3b67d7c4bbb6baa4a2ad3
SHA1 a2b2ed5c16e5744974925e35a9a7d66c13dc9657
SHA256 bbed499b8e373b7708957eea93550225f732c01640579122fcb92fd22d18019a
SHA512 d1e852e2c71d8ac6f28128fab767478d40c78df2c87b8c0c06ed07c325353b692e92f96b7da4803bdaab06d836729f240910597737b6a2432785f2ab8df3da65

C:\Users\Admin\AppData\Local\Temp\AEkg.exe

MD5 449cb93b60c206abe07760a6fca790ef
SHA1 fd1d6d0e378b5ecefe9ef20644837b1dc080cbe0
SHA256 b75b3f9b15a94c39d3d97adbdbfb41b85b7a757ca7d738e6a5f3904c6ceee665
SHA512 e5ffa53bccf4cf15116e3347b93156c4a3c2aee7c94a07883698b68ce083f39e5e3415217d5599a703b4601774ba7d1b57ea08b118c99598ab0b6288e2031204

C:\Users\Admin\AppData\Local\Temp\ecsc.exe

MD5 e88481b7e68e169e58739396d45ed002
SHA1 fc271136663f29201029bb95bc1695768ced3c5c
SHA256 16a77130a94903ec5057a781a57ed6ffe3ee9981c6641e26502fbba4b18f486b
SHA512 a6b02ecb96dca7d18dbb3bda8b42dec064412abdd1925f657603e3443d3922ee23709ab3922fca0724176eb4ea21a7db0dad3b979a7475d344307fdd1a55ddc2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\48.png.exe

MD5 2c3a98ef1a29449c47dfcbf1cad193ad
SHA1 19ed052540be0140e79790c7212ff0daba825d86
SHA256 9eb76a31c16d086646c620ac358c9568fb69ff78e38e4a57613fee32f59e7ff8
SHA512 1389cc749857109bb0bef2a012e3b8f4fc73f9805fff9524ffd558968260dc39a53e0ea36e49a76456eff0a5f233f4412c9dae112365822d14ac2f111783233e

memory/4396-1033-0x0000000002200000-0x0000000002220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Yssa.exe

MD5 4595eef47354bd4bc6ecb355ff8d81be
SHA1 10e02d3b2785a2626b9e551b0ee646b1568178bd
SHA256 5eac0cf5d18418b46daa60e30250c32ef6143a6bec928ad8158b7d0aaa1ab6ef
SHA512 acfef28a0fbd13a2ce1a3d80c1074160d0819a5809c6e297f1d7ff11ad046633d4b6106cb560f46246b4e499d156e7f1e9031a0c68ff021201ee1b6e51d0ef52

C:\Users\Admin\AppData\Local\Temp\CEcq.exe

MD5 fd9a618c7a14cb4b8fd95d029b6fd6e4
SHA1 7045fa6997a4f5b9907a50023edcaa42b5554268
SHA256 bf473baa798f1394b17383d0d039490a4aa83ec16e76f6a900cfa02c085d5df6
SHA512 2d365384b49734aada5c44fad5022d2807279ddc04cdd7ce9725871321caeabcb9f44ddbf61949c2aff7757923035daf75266d15a0949d98a2aa6a5009b3176c

C:\Users\Admin\AppData\Local\Temp\EMwm.exe

MD5 41eac3216b39133b755992b936658f3c
SHA1 8b8b8c01ac1e105f546a5d87d34e1456b9cb44ac
SHA256 72a80b0a3d92fd66f02424592e7c960a4676dbad196d25f92956519e0b58a4a8
SHA512 7d1c718077b2e09e7456224e14bde05a3582136725f87c033da79d0d972956dda449192ff4ebc48820697a61adee07006d738f812a06b1995dec76b73d45e111

C:\Users\Admin\AppData\Local\Temp\YcQi.exe

MD5 6143b22d9ce69cab56eec16a46c8d5c4
SHA1 f1a451c7e312578cdc235b90a68cae3304d84628
SHA256 bf3fb366dbaab5e925e0865a9f78c4d84bb1bcba84682b162e95fce9397d5e26
SHA512 933be5678c7c06d4d20f3acd12701ff6e43665211cf5ebf49ac41ca7666d8b165418b3a03e23f182093a4871d63cae5633a5b650772c8aba922acb41e7353a6f

memory/3796-1093-0x0000000000400000-0x0000000000B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AQki.exe

MD5 e6a6d92c9f93ebefa5396aa8eb82312b
SHA1 5d0d5068f52795377c79f37e38708d5d65715313
SHA256 4651350ff60d5b524fccf02d099cd7b4cc0f715ea35689eff20604ac95aae84b
SHA512 3080b594f1018b7cd061170ae27887c8d11c5c87ea6670da2de1de7810a5cbaefd0ce81d61a6fc27f387fd8327da6e9d5ca8b8c2946e0fa05c22445a0ff437d7

C:\Users\Admin\AppData\Local\Temp\gAEW.exe

MD5 dc1480a285746084a896ebedf5e3e8ca
SHA1 af6b4b3f6d4700115dad2aba2db99d1ae2132e7f
SHA256 6b57f371bfa4063988956834bc24da63957a57b2a83b6a0dc503a52da519846b
SHA512 7ee07ca6652b54176f9281d8e3a2ad8ee1ee7b77e16c4565ce1858957aff8cf26b606bff7afa87b265d588cffea10359b40de89e6bddaa21093b360f964a01f7

C:\Users\Admin\AppData\Local\Temp\igcM.exe

MD5 ecb2c2e4d3c005a765b7f95264e7bd92
SHA1 0f75bb7dd81b29699f431845827fca0e78744a51
SHA256 cfff0846d0bd6a96d43620b640b40c0299880153c8c85a09db535cd0297a30b7
SHA512 2ad4ca30c4b675fdc2dfa3f614e4f48eab054f9619ab31326d43b5663be7afc5f4cf28514fec106d06657997650d3b108320acf3c34f59d46ee2b74e0a67853e

C:\Users\Admin\AppData\Local\Temp\IcEW.exe

MD5 64b8f535d31c9ef8c633a107220d16ff
SHA1 649b6d0b2c47b4d018805564ff03ebacf0ddcd53
SHA256 92a4d1c7ec7fcf61815f963d069b7f8e2db2826c864748cbad54f1a6ded82c06
SHA512 cdb75ce28dc2f88fd113bda5e95e5dae860388a7ec445cab907840b3ec83b0d89d9e583925b2fc4092db22ae75271dfb3bdd77ca662fbe4e2fe1441b59170da8

C:\Users\Admin\AppData\Local\Temp\aoAK.exe

MD5 65fd0a13717505816455dc34d403538e
SHA1 3f21c60891bb858b504c4b1f9c249ba744c642dd
SHA256 fcc0f635752e12031c0201a68df426fb6a5946848391c1302398988643b79195
SHA512 4b5177fde82b3b6488a5b5138e06171556d7b4e7502d83ce2ec48baf33575e2a96abceb42ffc6e27a89a41b079ed5ce603ab873091b0a039456d6b667c755f02

C:\Users\Admin\AppData\Local\Temp\KAIc.exe

MD5 d17280484bec5d853212d3cc70307576
SHA1 7f5a13bbefb42e5bd28def0deb6cd9e6ef4afb9d
SHA256 04c3d7356c78d98d7414c287bb3dd6cea358f362470ad7c8666362babd4b5d8f
SHA512 b57466612efb6f333b15965359f053dc0ad712f3b43a200784634b7cb35372e8f810a362d9c7695e14732d4ee5175198098ea6f1a926ac004a00c71077a62b59

C:\Users\Admin\AppData\Local\Temp\uggK.exe

MD5 1adcb1bc4d27b6e1ff20969fd4041fa4
SHA1 27833a4125e8dbf4f9b08c1cc0b1eb1becd95da3
SHA256 d3e68af4d52607f5354a3e28c840d3b2fafcd80c685a15d4add988b755113a5a
SHA512 5a2c0c50e16661fa353946eb5cd8d43c79be88a2927b6a14cee6e41d2833c4f9278649bfea9d4b80381295cd274d21c89499ff10d0b0a200ce8d3ddd85ede0c9

C:\Users\Admin\AppData\Local\Temp\QIcq.exe

MD5 7e1cafb5a0453c68b6dfedb31f447c18
SHA1 c7a2a02271f9d006f9a03c0834980bdae93849a3
SHA256 aed008eb5bb5b7d8d6f70c289c991cf7771c75200e2392a0d66a22d418b4cb8d
SHA512 bb933a8be825fca5581874092e3a9b3a3c15dec9e0a734a27389e97cb7f0fd8edb0d1e61ed6857582760465ca7373ff17dee365bf438901cbdc7041220120f90

C:\Users\Admin\AppData\Local\Temp\Kwci.exe

MD5 4d963684eed9285fadd5f760e9f44ae7
SHA1 93e3fe0dd9bd89cdd346dbec7bf36bc36a6ade03
SHA256 890f8778cf73cc60c820a766b30f49ccbf785e2a1e6c208703d444c70c626de4
SHA512 2ac7b7967762deb2b2afeb198edc66536d931b57c4ba7bb28c8bb00840df9fc55d21733888203c3d5e6a76e84b02f5a12938d54cba0730e1ee0c1b4ebb700810

C:\Users\Admin\AppData\Local\Temp\agQS.exe

MD5 f66caae8b93e1d36368f28d9d17b68b9
SHA1 ccd409b550cdd50e6f97ba5a5c1eb2f9649b95bf
SHA256 dfb682a036abbdfa9d758d8ef61efcad937623b19d56415fead1b5b4e5b73eb4
SHA512 c79533419b684563cfe0680cbd115a1b9af0d49c94d04ca25b608a80a68c72773011cb99e7de524e17c0b08e5725f6811826ff53c91b15fb52ea7ff48a1fb9b9

C:\Users\Admin\AppData\Local\Temp\QQwO.exe

MD5 796b2d976ca7f3bc7eb9600e34941241
SHA1 86cf11716f9b7e6f6f06056ddccbf942d85b2530
SHA256 d24ea31edfb40ce8f4ee038197a85c2b6f27561bd966926435ecab17b2b399e3
SHA512 f6b72c1f506c78555bd76d453deaa54b3e4ec6a0f2f0e392edde77c33b50fe1d46f88b11803b426c00fa47325901d8223d2e3fdcc6bdf9f06e232e5c6bce9afd

C:\Users\Admin\AppData\Local\Temp\EQAi.exe

MD5 e92f180b187c05fbfcc3d9fd1873f8e3
SHA1 861edbd640208b0f73be78f3adaf22b1a50295d5
SHA256 25aa7598918af20a1b1d02a27457d2fc22c9f91feae0ddffa425725e73501152
SHA512 60db14b29310528a94557dda735badebcfd9eefb9fe5c3766edc4ba4247bd850fdb5f6496a5135cc669b252cfab05b2b1b47abbc704d6deb943e338ac399ee0a

C:\Users\Admin\AppData\Local\Temp\WAoS.exe

MD5 9effdde610d5040f720c359f1b005684
SHA1 8aaabcf63192092e2a54d4c5fdca2c003244d1c1
SHA256 589bb25f3db6ac74dadf2396925f3dc5d3738b4f78b3a30de4030f16d991f93c
SHA512 0f5da2c64d1c7fcef4a95fbb0f9783ce0ec0ab8b0db2411525dfc9c539ace56f80b85db286faeef76648f4c2c6c1aacc2a055b03beff03da2fbbaab84091dc08

C:\Users\Admin\AppData\Local\Temp\SkIC.exe

MD5 097415f1967b47d546107e909697e90d
SHA1 f87770f3f47eaffb83b10728990857aa36669db2
SHA256 3d7fcced14f603d6783e912953ef879b2cf30ff8eab64ac6d708a709a71dce39
SHA512 5d05507b372fab9dfeaf582c3d2c49ea0a7d16adcd7e04090268422ed4cfa50c71c23c3b1c0c15c67176d9beb74c1d86af19a3f380c6ec4b9474f466796fd778

C:\Users\Admin\AppData\Local\Temp\QsMi.exe

MD5 4d88e3cfcc720fbece2d791538b9b64f
SHA1 2dbcb8b8c43cb56b05087ddbfcda8f19a8b07ba6
SHA256 2cac22b90ebd06e028a6d3a4f0a8d55de22e554e2cc292a167a3cf8f8c3f2f66
SHA512 ccabc63dceedade60bab408c65746172a051aded973e3101622294ea1fe56f964e747fd642292ccf633010fe15535272c69c329b0b0c7646c47b11aa06285320

C:\Users\Admin\AppData\Local\Temp\MkoE.exe

MD5 9101a1250e90de385349d0cb45fe5310
SHA1 4d812168360b8f8e8acf7ea9dcb9bbf3409c14ab
SHA256 7b3e7a1aa3e10493fc5523579c26e00a2327e7b630a5d1b9ba50e246da84d341
SHA512 1d82b17193b637e6373712455796dc0be3cb00e7fb7d263bf94d14f66152aca62eca142104e8dd7e6bed5ec67b4f5de93e136e2688f8eb94c88d2da5e68f722b

C:\Users\Admin\AppData\Local\Temp\WgIM.exe

MD5 8d6d18dd97996082022e698c76941645
SHA1 35becd1eea7381503844bff0eb0ae1b48e3333d8
SHA256 0417e322bba824b2feb36aca90b2f659b239091df000e3bcc61293852649cf83
SHA512 87d00514dc911b3bd4810d0e739c8b4a7843525efed6e3bab0bec2c19c642c6bf417f386fa55c0fe6f7eb88321302bd9711825f4d4ffcd7756436b24265f8dec

C:\Users\Admin\AppData\Local\Temp\emww.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\Qsck.exe

MD5 db53b5b4739218b89744c1c74aa4df34
SHA1 68e3972b4b2b9254d72f16892ab818d71ab328b4
SHA256 706c89f1706766414257108e8966f1453982e31ae735c81e2d1b7b604b1ef54b
SHA512 32d0838915c2a60ca7f1e9efc4b93f656e2960746d13e8a6dc5c32f42a8d75a6c4a62732a0e11ca9ec38dd15e2fa69e54afc60fe2c6e1ee60b5a5f853a1f9668

C:\Users\Admin\AppData\Local\Temp\oMUm.exe

MD5 28efd9e381b281508e67e13ac3026f2f
SHA1 c8e6f8cdb0dbd4c2c450838b64b152cf9001abe6
SHA256 4999e1245d60173882c8438ae8a73f6d826e03866b3b7b07e9444c31d4a452c1
SHA512 666b6885c833a453f09412f9a09301e868350cf3af36f1c5299878779b068457e6e38f78bf6cab7a0bd567716ffd1adef9aa9536860e8aad675ecf7c13d34ee2

C:\Users\Admin\AppData\Local\Temp\CksM.exe

MD5 848137624a98fee84c11dbe767df5705
SHA1 baf468dc820f83ef0c169ad9e09f62dbb04d99b6
SHA256 2a4a73d8c7fb146053ae62189ba644feb2f284e81fff758a3056e66436bda164
SHA512 d6738ea30b9b89e6bf2a7c5757ad1bea6aba5c82cde1b076c8c4904a51d1b2872ee8c3396342fef312d70c9a6c56f0766eb6e1950f475e65c6690c204ddb5bb9

C:\Users\Admin\AppData\Local\Temp\WUgS.exe

MD5 dcfe76910795e5ef7ce8557258d70603
SHA1 3ff07148df2d2a2aa580c7611770e73467dd0d64
SHA256 5fe70668d62c1273b0d27ba2041c28f490d5925571ae31074c926a9a639ab655
SHA512 de5ff062d1b18b39577e617d0d4794e9dd20778ca8667763762337b48345c5adf9418d3a880af96d3bacf47024dd42017a45db95cbe4d2ac2f5f2254aba68f8d

C:\Users\Admin\AppData\Local\Temp\gkYU.exe

MD5 ee3aea3ac0c40b75f6f5c1c721c151ee
SHA1 c42b80e5025ea364951acd1b7aaeff33af16e08c
SHA256 4d0ecd851671c6fb7f2f98ad9e553a735ba3799c11d1539e360197fc8a9890e9
SHA512 d28ab8286a6601fcc28f81b20e758a8b4b52ea924137ed24b385eaf9921fa523bb70ac47b45d13b1ed1a8a6aaf662df71e6f7558abfdc3c5fe6b349e76a17adf

C:\Users\Admin\AppData\Local\Temp\okgk.exe

MD5 049aa12219d8ba95e8a972b3ad28a5ac
SHA1 99908d08d4750e5b7fc2fd4a99f8459b9c243c9e
SHA256 96d95168354f4bc2534e376a28d9d955e047bc3f384eecbac5f8d2ec51add0ec
SHA512 db5606f2712e25776ba25bd1a2043d149ca7f188b3fc48fbf22647a8ae99f4f7b783ae65d42267f0040acbc6f75393a306d14cc2e34adeb24b243a1e6d34bd1c

C:\Users\Admin\AppData\Local\Temp\YYMO.exe

MD5 760a0645ac8ad362e244380bf71be104
SHA1 52008c6d572af8919a0145b8b2b77843d29be0d0
SHA256 dfb58b2006a7ee603182ce3e85faf35c9904d63cff6372b70a63d2c9d69b2655
SHA512 25f212fe24bd9f729456bc1353315877542689c5d4c0483c3a3b155bb6562b48558dcf6c53854ba7c56c18c334c32174864a059d37e2c5ad89f89c194e7b56d7

C:\Users\Admin\AppData\Local\Temp\aIIq.exe

MD5 42703237c31b77ae4413f102d542fc72
SHA1 7fdcd1894a962a35c9e7ff351ccfaa7f1330b10f
SHA256 861faba0ac84e46790b30e06a64cf57a6015b2b66f6d3dbeeb5da4de1e9645fe
SHA512 108425d932fe35be657640d36d3c83c924af9549dfa9eddef8c84e0ad36adac160c02778a1f86e4eb6af1cce828307c1ef672acad27f043a59bc0018165e3b88

C:\Users\Admin\AppData\Local\Temp\UYAa.exe

MD5 d1ee039320bdbfc6c67c99f2498c512f
SHA1 fac1536e377be97bcae363e7bbe256d2d84b3920
SHA256 dbcba2b5c044f434255fc7f8a32da4fae716f38b18879ee65a9d34f2a8bad2e9
SHA512 3cad5b44c93532c3fdbd3d391d7ce93a7bfbd94f2a96abe9bf53999d448fb94456fa9a01514042f539459cccac9bdedca44f0f127c8bffefb4b87021f3c651ba

C:\Users\Admin\AppData\Local\Temp\IUgw.exe

MD5 b5b646544cc041cf1d71eff20a02ef61
SHA1 2be4e519142ed22d0220e6b4c6de6d41491d6c4c
SHA256 930a0e39e53516d34d95d7e681dceb15f79dc4a6330211b9217aee406b570cd9
SHA512 bd10eec3b385af6da6bce13332f3e2533df79097ec59c5bc3122b8fd2b41f20fd6b98c50ecf342c33f350abf2162986bf96211bdf7660088a6e90a9783720d3d

C:\Users\Admin\AppData\Local\Temp\mAMg.exe

MD5 a755c36149906081a2af3f7c00b7984e
SHA1 a40dede0dc6a38bb73677b468321531e849e942c
SHA256 cf6671668aaf017bc5e63fd7f85a87afa12ad5b1034b0b69926ed603c981046a
SHA512 34e75ede5225e0c9b21b84f3c57743b86d0dcbd1c52c432bc5aa8c3bff541d5fc479243c7c7a9d07a6680bdf9aacbfda277124089a0bb687edcdc88514d1e84e

C:\Users\Admin\AppData\Local\Temp\CkUg.exe

MD5 32cb068191b8fa4c32f02f78516e6582
SHA1 df63f84c4b4c128430aedd6b7952795544095a1b
SHA256 4f9d0ccf06499c1119a76ce1659d9c0615a95ec6866d1b69df25de6fa9fbfb46
SHA512 1eaade4e94113e3500808ffa391cafe4384f4c6d58a140c4bd712eae703d474f1c538f63655463d2bd36a48902686c8ffee728a1e48e5161a962fa8a7b8eb037

C:\Users\Admin\AppData\Local\Temp\ooww.exe

MD5 94fa9dac4997767ce05a2ab067b87cc8
SHA1 f359908803a85c0ea02446c61b1cb398c3e98dd1
SHA256 890fcab6c087955c8c8bd3aa66c77bb60740c80df50e2d4a2ce33f2139223a10
SHA512 3d129fbde0ef28d14274fc19560832a7d60772dfde29c266ddb2c11d31911f23030a32cad3aa0a9f30f70a1592d1a9143685489adb9ac7159b913289ec509d60

C:\Users\Admin\AppData\Local\Temp\wwAm.exe

MD5 f6962a4b7b5f5bd85c72fcbe5f4e6dc1
SHA1 0cefe27afb051873351547c61b647388eac6304c
SHA256 a3719b18f4042f1498cb3025425902dc85d2745521da09da2077005086e3ff03
SHA512 c5b7ed35c5915af00bfb4254478b6d11f1232d65795fbcb62a8b921fb3765719669d1a6b7e7d028ebf20b48d4bd7969aedfb9c2d84802ab4c4a5c37ab343e6d5

C:\Users\Admin\AppData\Local\Temp\EwMC.exe

MD5 136c6f27c91cb0c6b5ea17d7434534b1
SHA1 7942da30c0c643eb769d7a492ac2c1f71ea0091a
SHA256 ca6264e87826e485c177713a346ed5da151cb1ffd4e438722cd0e92f3675553b
SHA512 e9ecfa2d2aac5b1b3b6e0d82803a29439291a1db9877ca01a4e297f8a521fc8a6fd1f7076e2e1d47c8ce7517e6b5e5845afbd32dda38acdc1c716157dc2fbff0

C:\Users\Admin\AppData\Local\Temp\WIci.exe

MD5 f40de14fee7eebaf4f9ac9552292e7f9
SHA1 64762d1caf17cbccd477c5d1c3b5e0d385f49c52
SHA256 fe5ca5d5bfae9a89fc997324d568fb9b73ebc3801563f88b84009040f943c44a
SHA512 fe6a553c440efcc89a984464848361b8f321f0e7bda9fcc82b44847d836585b3674044120314cd67b6b889ac6212aef626cb59360e8ad80d6318ca3625e1e5a9

C:\Users\Admin\AppData\Local\Temp\SUYk.exe

MD5 b272357f943748d81028959b6001fd32
SHA1 42c7dc09ec4bedc320338fa9903a7d0207a9ce48
SHA256 2e60439562fa15974631a128a8bfd06848f3638194cc0232842cc12ae60fd886
SHA512 01974db0b8334ce6280d5d1f167c9d41974ef5dbfee8989770ba336696cbe5088cf6afdde6c9a7e9b06eea19485704ace686dc8084dc8d0946edd8c6cb0194d7

C:\Users\Admin\AppData\Local\Temp\ckEM.exe

MD5 79a434294542af3b49ed1edb78a95ecb
SHA1 0261b2f6e155e9367a0001522ed218e7c781e933
SHA256 361952550b507fb9dca795aed9853bbe4eb61b560c72fd0decdaa75be7290cb6
SHA512 53f9ecc85c5c2425c29e346313a9142979e553aae310504fa45fbfa28656b427b18e8b4bdf5bdd68bccf32338283e2f222e4a94001118a9df7abcfb177b66a7d

C:\Users\Admin\AppData\Local\Temp\EcQg.exe

MD5 37c38595236706c07469c1ce45f655eb
SHA1 43a01e396f05b2099eac8bbbd4b824e108eccce0
SHA256 1351114f22a8888796b6c22193090b2cb59da051f5d4da9e8fa71810f9b7733e
SHA512 c5b30f91123d57f3fd9503ba0eec8b153a73b4c6ef356b587d57cf6c36c743442a2e76e6537abaeda86464c93b4be5341ae8a90ff687032e6d261d08e9bb3c65

C:\Users\Admin\AppData\Local\Temp\UKMk.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\CMEy.exe

MD5 f3a07c47c06e0f3a7b7bc04686db07c7
SHA1 f84c6ab920e4e56b0e8ee6f83b961722a03b434f
SHA256 9e1c4f3b6d619f6673b8913e2f8b4b6e14bfe950bf199c53611d192eac7d9074
SHA512 0a72749f5740bad4ec650fb65dea8037aac5ce120e6e782300e0096986ebb3ba2cea89baafac0c971d0be7c0bbf1a2c2e17053acbe698ea458fd57ec1d7c0f3d

C:\Users\Admin\AppData\Local\Temp\AgsM.exe

MD5 e4ee28fcaabdb0f5ab3e1df87d8cc405
SHA1 c4b1371658ab91a24f38244c28cdf0a599b20618
SHA256 23688ae919530fd3ca87557a8444eaac3e644d61dfbe73767869708dbf0e6358
SHA512 8fe3210aa973c0242b0056e629310656107c43dcaa29d9a5270bb66e07df37ec0cd35f56527d69cde9ef6e60d49954dcb9b898371d55cbfef98f91432b4dec62

C:\Users\Admin\AppData\Local\Temp\aAUq.exe

MD5 c3bc1bf4b4d7f1c62d5aa851bd328607
SHA1 b2b682e77677abbf256d647ffd0eabf7246f6a5e
SHA256 7306545d37555531953338c2055380c54041a9262d8c6b0497bd3f26f80cd69b
SHA512 9a8ebe016bfef4420f49d47c0961cec747f5aaec589b1f7afd4e525f9da449b200517a7867b3945cb780203fd9c2997031e497c76e5c35e7589dc0f2de6dc131

C:\Users\Admin\AppData\Local\Temp\ogcc.exe

MD5 aa1d8822967ebab42d2360692c6663f3
SHA1 73d411e8efc6a4a2cf39142fbc204add19672bac
SHA256 cd1e2bd5d6fdf5aae03d887146a012c8077bc08ae8e608d8f989ed1fa572ba2a
SHA512 00f04aa6abb2e35204062e0d749739a0b9e3b5acf1a642fd4e594110d1726e8ed1cfa36ed22c7e6140861fbb927c8d59e5086db0470fa38aba59773ea98a73f4

memory/4396-2177-0x0000000000400000-0x0000000000590000-memory.dmp

memory/3364-2182-0x0000000000400000-0x0000000000590000-memory.dmp

memory/456-2187-0x0000000000400000-0x0000000000590000-memory.dmp

memory/4444-2192-0x0000000000400000-0x0000000000590000-memory.dmp

memory/4456-2193-0x0000000000400000-0x0000000000590000-memory.dmp