Malware Analysis Report

2025-08-10 20:09

Sample ID 250518-nydjha1pw8
Target 2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock
SHA256 083b85ac923fbb8dac3a91c9772762bc5b6c891a18f5cc684652c26fcac60b2f
Tags
discovery persistence defense_evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

083b85ac923fbb8dac3a91c9772762bc5b6c891a18f5cc684652c26fcac60b2f

Threat Level: Known bad

The file 2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock was found to be: Known bad.

Malicious Activity Summary

discovery persistence defense_evasion ransomware spyware stealer trojan

Modifies WinLogon for persistence

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (53) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 11:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-18 11:47

Reported

2025-05-18 11:50

Platform

win11-20250502-en

Max time kernel

7s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\PSUYUcEw\\UYIgsAcM.exe," C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\PSUYUcEw\\UYIgsAcM.exe," C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKIkkUcY.exe = "C:\\Users\\Admin\\TuoAogQw\\WKIkkUcY.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UYIgsAcM.exe = "C:\\ProgramData\\PSUYUcEw\\UYIgsAcM.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKIkkUcY.exe = "C:\\Users\\Admin\\TuoAogQw\\WKIkkUcY.exe" C:\Users\Admin\TuoAogQw\WKIkkUcY.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\TuoAogQw\WKIkkUcY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\PSUYUcEw\UYIgsAcM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\LAwUwIss\fIYEwgAg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\PSUYUcEw\UYIgsAcM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\TuoAogQw\WKIkkUcY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5732 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 5732 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 5732 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 5732 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 5732 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 5732 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 5732 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 5732 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 5732 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 2072 wrote to memory of 3456 N/A C:\Users\Admin\TuoAogQw\WKIkkUcY.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 2072 wrote to memory of 3456 N/A C:\Users\Admin\TuoAogQw\WKIkkUcY.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 2072 wrote to memory of 3456 N/A C:\Users\Admin\TuoAogQw\WKIkkUcY.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 1376 wrote to memory of 2892 N/A C:\ProgramData\PSUYUcEw\UYIgsAcM.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 1376 wrote to memory of 2892 N/A C:\ProgramData\PSUYUcEw\UYIgsAcM.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 1376 wrote to memory of 2892 N/A C:\ProgramData\PSUYUcEw\UYIgsAcM.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 6108 wrote to memory of 3120 N/A C:\ProgramData\LAwUwIss\fIYEwgAg.exe C:\ProgramData\LAwUwIss\fIYEwgAg.exe
PID 6108 wrote to memory of 3120 N/A C:\ProgramData\LAwUwIss\fIYEwgAg.exe C:\ProgramData\LAwUwIss\fIYEwgAg.exe
PID 6108 wrote to memory of 3120 N/A C:\ProgramData\LAwUwIss\fIYEwgAg.exe C:\ProgramData\LAwUwIss\fIYEwgAg.exe
PID 2260 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 2260 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 2260 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 2872 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 2872 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 2872 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 2488 wrote to memory of 4844 N/A C:\ProgramData\PSUYUcEw\UYIgsAcM.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 2488 wrote to memory of 4844 N/A C:\ProgramData\PSUYUcEw\UYIgsAcM.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 2488 wrote to memory of 4844 N/A C:\ProgramData\PSUYUcEw\UYIgsAcM.exe C:\ProgramData\PSUYUcEw\UYIgsAcM.exe
PID 4588 wrote to memory of 5100 N/A C:\Users\Admin\TuoAogQw\WKIkkUcY.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 4588 wrote to memory of 5100 N/A C:\Users\Admin\TuoAogQw\WKIkkUcY.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe
PID 4588 wrote to memory of 5100 N/A C:\Users\Admin\TuoAogQw\WKIkkUcY.exe C:\Users\Admin\TuoAogQw\WKIkkUcY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Users\Admin\TuoAogQw\WKIkkUcY.exe

"C:\Users\Admin\TuoAogQw\WKIkkUcY.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\TuoAogQw\WKIkkUcY.exe

C:\ProgramData\PSUYUcEw\UYIgsAcM.exe

"C:\ProgramData\PSUYUcEw\UYIgsAcM.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\PSUYUcEw\UYIgsAcM.exe

C:\ProgramData\LAwUwIss\fIYEwgAg.exe

C:\ProgramData\LAwUwIss\fIYEwgAg.exe

C:\Users\Admin\TuoAogQw\WKIkkUcY.exe

NRGD

C:\ProgramData\PSUYUcEw\UYIgsAcM.exe

TUXW

C:\ProgramData\LAwUwIss\fIYEwgAg.exe

BLQI

C:\ProgramData\PSUYUcEw\UYIgsAcM.exe

C:\ProgramData\PSUYUcEw\UYIgsAcM.exe

C:\Users\Admin\TuoAogQw\WKIkkUcY.exe

C:\Users\Admin\TuoAogQw\WKIkkUcY.exe

C:\ProgramData\PSUYUcEw\UYIgsAcM.exe

TUXW

C:\Users\Admin\TuoAogQw\WKIkkUcY.exe

NRGD

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp

Files

memory/5732-0-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3172-3-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlockOHBL

MD5 9134669f44c1af0532f613b7508283c4
SHA1 1c2ac638c61bcdbc434fc74649e281bcb1381da2
SHA256 7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2
SHA512 ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

memory/5732-5-0x0000000000401000-0x00000000004AF000-memory.dmp

C:\Users\Admin\TuoAogQw\WKIkkUcY.exe

MD5 c33d421fd5da7814afc97b92a53f935b
SHA1 2f5259d313c28fbe24649a6f552d5f52a32df0b2
SHA256 a6af2838a7e465420104fc9e30a6f2a27f10325c8c106b15dd4ba4d7473c9af4
SHA512 cafa9fc851d26d404852355bfe3eb07413544a2d02bbab64d9684e80b15074447838788bfb00cb483a792a5a610bfa8e5988951c11471fcf599cf303480935bb

C:\ProgramData\PSUYUcEw\UYIgsAcM.exe

MD5 3bc4e7d569830afca6d91f94fb8b8e30
SHA1 8e8de5c6cc444fa163a2c5c051778e44b1b21798
SHA256 6da76bf504f3413737e079668c1c254ef1a41aea7c2960fe80823f964d470b1e
SHA512 e8ea6e9a70cf5be346a0d5914bc11fafd94d5b80c72ece2f11343b934f6aef2506b48a385c09bf7b0401cfd957f5bae214ac7ba6fd21ea8479cb74e115406eab

memory/1376-16-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\ProgramData\LAwUwIss\fIYEwgAg.exe

MD5 101301671573e425de2b129e7fa9fbcb
SHA1 6e0a1f005f14991f71d6e936831ec2a629d4d476
SHA256 4315fbf3d35699c15646316a0c2cec810195a1282c6238f9040a4a00ffff40ec
SHA512 1dc314fcb63dea5ec0ad0128ec9b7a12ab28dc160537e89fac9508ee9ad000e1b6cf6c2e81ac080064a9e82f406ddeec512d8e088064deaf463bd9c0c7f7aa75

memory/6108-18-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2072-12-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3120-23-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5732-25-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3456-29-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4588-31-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2892-35-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3120-37-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4844-39-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5732-40-0x0000000000401000-0x00000000004AF000-memory.dmp

memory/5100-43-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2072-42-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iIYw.exe

MD5 747da9a854b5c06dce01a41b76357d68
SHA1 0314308a4e5a573ffd73f063508eb679cfa44ccc
SHA256 f527431d0654e2ff72f01e01fc35002337ce0c1ae78ee7de9e37f7ec9e765dce
SHA512 bf4eedfb7e344fefc357fca2e885d0dd337a35011e9d4604aac0f2b6a86fa727c42b7965c91d303702e399a8d87c18edc1f489d838f038feb13957d54b3a4fcd

C:\Users\Admin\AppData\Local\Temp\qcIQ.exe

MD5 3c672d410093e83542dd6e6384ca9738
SHA1 e7fc9e86ae629c81e805885dddd88752fb7b487d
SHA256 d97d7f6eb40721fe4415222bf41740266a8ef768b2c78c6cbc477f41cb2115c7
SHA512 53364484a4a9e2ebb395874063e0462e7ccff8aac44b95187011e458a625a1fc710574a57b60a36473ce3b2a5c0214fda79e5814aaee7cfd30a41c21d7979370

C:\Users\Admin\AppData\Local\Temp\GQgY.exe

MD5 f5a1dc5669995a3320bbec8d21f2383c
SHA1 d9fde767480fe9605c8bb8075b43599a46aab9ba
SHA256 1c98889b66ff1d91e096b7570ce0f7104a6c88ce4ced7acd184db8439642e96f
SHA512 8ee0e54ec7c28f89d420d0121dc494440f63c274b55740f16ce553eb091642c191e0984134ac0a06eae30d67e5aa60b265f80e11ae7f766dbf62993e62508a01

C:\Users\Admin\AppData\Local\Temp\GoQk.exe

MD5 10cccbd45425c2c963cc01797450a420
SHA1 c8f5e9b21e29d02315bfe8d55c3ddcbb6d959731
SHA256 6a03f26d677b9063d7d1f27b87f65f9e4eb8e87ff1e39718c168e6693a46eaf6
SHA512 26a074dbeb117b5595ab8cef405b338861beaff5b49a5187c61c16050ae764bc63dd0a6ad068e543546489d31281d68d64e05ff7a081ea48a84d6f730c3bfd79

C:\Users\Admin\AppData\Local\Temp\KEIO.exe

MD5 f130b52d866737f7e04302d8a75e877e
SHA1 61d5817154cfdf941a14a02972813c75f8669cdb
SHA256 27df67d2aa813ff8b75f5a744bd716ecd635fa0f9a7222a942d87393f1f71f99
SHA512 6dbb30fb7cfd3325f4820c7b86bc99ffba9c4007ffae3ed08299f31b5927f0032d0a695ad7365dc335a118b7630e77817dbbea8aee89e9412bc9befc7bc5ebf7

C:\Users\Admin\AppData\Local\Temp\KkUy.exe

MD5 03c1bc24e64aca7ce3a9fd4f129f2de2
SHA1 f69b111ed3da1fe516907f3fbe8b633c143b6b1f
SHA256 13dcd4faf80af960d59b67c418c7bb23a13664de278bce24c11705a88c9f1708
SHA512 73031e152117fadd081b7d875b99ad0a2ad88496074546fb2b21b55f3380d73a61f5e396ddd1ea9fb72c6d9b408a9f99969d1526a8b736ed5a6b71ebd16e3204

C:\Users\Admin\AppData\Local\Temp\IkYw.exe

MD5 79fa34355d8e862eb938ce7e6f40f9fe
SHA1 2e9fd55a10fa5283fef4db18afd825a13c02abcb
SHA256 375a817da82b554bdbfa5b79a4c3131f3c946cc895c83110d0c6f3bc279c286b
SHA512 1528110c72e346fb5b3099b211fb90e096d11e42c94b121f3eec1066216ae81ec0edb3ab5725c27d5852329a74b1e0bd2bb0a643e7f86760289acc49844f8fe8

C:\Users\Admin\AppData\Local\Temp\AoQw.exe

MD5 bf94c5adb311f75f2778c759d7e5e0bd
SHA1 43be436873736029e12a2c629b1a7198c2095b30
SHA256 7996131ec2e4fc8fc80b1f917f1980ab51fcdcf976700778f43ff1e74d95c727
SHA512 a6527c9b6cd1b260929ba6a7c89937003ed94c0fd658ec715b2e9a3eb4daebb7a8780b51b7d69e2a21a737cd19a16eb4fe996d399720b4165c25d4e03a2ee044

memory/1376-130-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yoUs.ico

MD5 9af98ac11e0ef05c4c1b9f50e0764888
SHA1 0b15f3f188a4d2e6daec528802f291805fad3f58
SHA256 c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA512 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

C:\Users\Admin\AppData\Local\Temp\cgIQ.exe

MD5 88f453949676244c5b269217b5f3415d
SHA1 5f44f4133e3d8f0e48ea5b3df607f4cb19ac241b
SHA256 7deaf5d2daaee786df91c337fb64922d58ddb616b3414a9c55577919f24ad2eb
SHA512 bb91558ddda969e0bfff0ca5f2f2473365ef1878ef71921ea5ae96908f8e840754d9980afda947a2c3dfe2482b60f28729c2fe0ed126ad65d0ee8636398b8eb7

C:\Users\Admin\AppData\Local\Temp\mgIA.exe

MD5 bd20e2e03cb5f41fc284aac1d2848cc0
SHA1 26f617026c68744029c3685d0a3039a437dfda68
SHA256 2af48aaca2d130b1d301f4f50b615bc6bdfa5b3f5fe17ea1d3bc8ea563c031fd
SHA512 d9f9110761c722d2eeb8d32f10a2440b6a48559b82ad46088944e1fa9cef881b799a239949fd6f7d741b48d84b28235bf9cef66279a18978dbce7a7acf178018

C:\Users\Admin\AppData\Local\Temp\Mooi.exe

MD5 fcce8ec11d1d902a311280de4e1ea653
SHA1 c1b0d48b3217ef862a1c2299b3916aa361aec521
SHA256 426793e9e6a544f9f45d78f319a75a71ec4a2c1a8870614c25fa8badc3a275c4
SHA512 c259a7fb8ebcf0405a375dabdf4a279c5e70e5631dfa717dc59410bc8f7d9f029386ab990613e5b27b351f56a886165b3423be0f9397894b149658c00aadcf5c

C:\Users\Admin\AppData\Local\Temp\yAQy.exe

MD5 d10123654f5ecccda660137ed757f0f9
SHA1 2f1467fb4e2d65478865b5146028ca9ff8b9fb17
SHA256 941bcf7ebaaa04587db94b2fb75ccb9bdec98465af9e86eb5380ef3b45e16d0c
SHA512 b5eb66c7f3d4d551b9e52c614bdb994e63873d54c8b025e617f66a3302fc2e1128aa0927b64e2088afbc13ac8ad2f2269889f04baf9713efbcbda2e6d81ab230

C:\Users\Admin\AppData\Local\Temp\GWIA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\gkUw.exe

MD5 5d9137d9a713e4650fbc27f227a33494
SHA1 029be6b9ef35f6faa2433d8f486716631d21f7b2
SHA256 372ff05909087d0d8b602458ab9b7be264e1b3c4325847da2e7c48ae5fc8a43b
SHA512 1be2866ad67fc8bdf802a6693c677e2cf4bc2aa524b3989c017204af3f2395e0e94fbc803bfe222b28ed974edbc3425da79bd28b5908bae2e4fe9579a51336db

C:\Users\Admin\AppData\Local\Temp\SIgG.exe

MD5 66b0a8de0abbd8549a9cbf53d0a95e71
SHA1 07cd6362fdc49a5c808c425484b42bdd176db2fa
SHA256 d5334232a10eaf27a64d8ebbd0e85d88db9e3e9b6e98c47aeeafd288975aea50
SHA512 8da416f5fe97cbd1c26ede83f2c89283fa8ca04d9035477893f79e01bb9aa7caee12c3238858ad5677d87cffa34ea571820ad2d4ec30802fe862569d143ab7d0

C:\Users\Admin\AppData\Local\Temp\CgIG.exe

MD5 1e70e0f16cbea3bd785ddce62aeb5ee5
SHA1 85e799342af81ae9ea8b07e14ce390c9ef9d51ed
SHA256 a213b3c49f6765c9b9052e1149b3f361dd17182e23621887633ac434a8331e1b
SHA512 ff9caa92883f910f6a56e32237553779ea48154609e76abae0c08146baffb80d1033e263c72df77a83e16a40e7b6240adfdd9332718a4b965c4f4cd432f18607

C:\Users\Admin\AppData\Local\Temp\ogQW.exe

MD5 1d9d933c014f04c0bedba33047b208f8
SHA1 b6a6c6980138253410d110b845ac44d96ad706a3
SHA256 4c154765afe229f17cf5b0ffc1e73405a6caa615f61d6e5be20493b657793898
SHA512 f51e6ac113d4435f3900f3aa18ad49b58c69145a1df9a2ec02bd6a2824c21dcf1ae9d50ef3fc9e7a80ae187105f4b75c622471ba923908217c146c11016c29d6

C:\Users\Admin\AppData\Local\Temp\uwoe.exe

MD5 66a711ba37ed141533a126444d64162c
SHA1 83d61023d16aab79248a9c796d3499ca07148420
SHA256 e587dd2810e7050082e310dd64c5e1f38b69001cf5f515cca67536997ef25215
SHA512 22f1e097352cf0a2884dda99d2f9fee901d9dbafd7296464edc76d3935b1daa20e9332195580503b57818f80073726ddc18116371dcb795e650771c97636b325

C:\Users\Admin\AppData\Local\Temp\uMkG.exe

MD5 b92a51b93f4dc85df9cbfc624ee312b2
SHA1 e4ac651f0a7113c8680deb98be9d7c3cd355db90
SHA256 8d9c28caa8ab755598b8d3e00c2a23eb86beeb8b077630660b686f2e572589dd
SHA512 cddf3338d4a5e0f85e11746b7ac2ad711d0b030387484515a7b3acdaed694399b92919baf71d96b99b987e25bed3e3d0f99950f0e0c05fb35ef15158d1b491b5

memory/6108-336-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qIQM.exe

MD5 a311631a61e40959ceebd9e65ea7cffe
SHA1 a62ba2b856a7b229265d83e1a5a1b0948d78c0dc
SHA256 abdc062e938999c10cc42fe7e692a0c5ed1fc1f7331480e4431b72a9d6ee60f9
SHA512 bbdd3b0cf63ecf42eaa14156ba6a0322f8a2e89211229d2937e6bd4aac44aa1ff427daca9aa410bc9d4f52d77acaffea0a8394446878dc46297600911e060cc6

C:\Users\Admin\AppData\Local\Temp\oQIe.exe

MD5 6abcd171c03b4b35f98f0bd331ad8245
SHA1 a51ab5b3a4ff29965c8b44559a10469fb281e712
SHA256 59b89c32f8d388b0529e0e6ac3839df40843c3c19aad2c3d5ef67828ec47725b
SHA512 20bcab5ea3f6f4a5f09fd0dc45ac93618d07de7bec18b52043f26579e2784c93441f5485c74b3369f22de746a51157df6b16042b109bd9eafe1ec3b17bfc8032

C:\Users\Admin\AppData\Local\Temp\iMIC.exe

MD5 1e5cdea57ee89b2a7315c8ac8150a362
SHA1 3767d6aac506f57febe36978a84f6bf09a1cbb23
SHA256 dcbc10dc6ed0d27666645f32ef9effa607de860770bb466b608bb0e04fc7f06c
SHA512 dccc3ec9f21356574109860f097551c32b954de8b40ca1a9e7769aca78843242aba5996abf71eaccf9e2fa4917d17121b5709025202b208b9b7da4673cbdff78

C:\Users\Admin\AppData\Local\Temp\uUcO.exe

MD5 814ccdf36f036c53950fde169c0773fd
SHA1 4df2405944061e2733e8b7da32f0347084bf8246
SHA256 6952791df0dba37f181ccf69cf23a5fd0ee66805c6fa5b1de21e578fddab816f
SHA512 2c6f9ca8b1831024df4b175841e98446b458e691b988b89e4ae1da0e28ac7b253add41f3e85ce5ff7f1296bd2a6b1c530d4b911176b8051a5a1df51f5661f2d7

C:\Users\Admin\AppData\Local\Temp\CEoE.exe

MD5 520faca8d36e9aaca2e3d46032780f1f
SHA1 9450ab132c5573cc5e1d0f352f3edbb2a5ba3106
SHA256 d6d5f78ae03da1104eb31988224985204a8e5011c6b88fd5d3957069b02cda40
SHA512 7d9e9dbb0b8d5a720f1377aedf6690712fa97fa313faf93f180e23a67f6576d9db3fdc36ff8c1f07b6eebf839de115e07207ff1e5b8053f625f4f3fea5200c9f

C:\Users\Admin\AppData\Local\Temp\eIUc.exe

MD5 4c8bf58e68359d13cff4bf897ab6e37a
SHA1 3a31be2060218c9971ba0ceaec6649903b206195
SHA256 cd9966d5239568e047f83e944b94b16593ae556c6b23b6334bd4d81a74436d06
SHA512 fd2e4b122b3c30894c1673f655f57dd8680802a2295bb1d8d6f4a18fb886d5235dde423783690a7629be377c7f9bbdafc28808206bd35e46ccea3bd404206e62

C:\Users\Admin\AppData\Local\Temp\uocO.exe

MD5 c37ed89ae643875e8781f9911e2f76c0
SHA1 50ece259fb520654f79c9012c9816220273584f1
SHA256 01d903b184bacba37af634a58085c6ec857eef3c65bf4560082fede575906726
SHA512 6e808cc0fbcd96db4eb7c016f0c26fb5607f7f977c90d8415ff44332bced287cdf962710401448cc58b8e5c0847f9a407cdd7b4d094543998e1e6e9a009886cc

C:\Users\Admin\AppData\Local\Temp\wEsa.exe

MD5 bef23cf093526f6f07719a215a31c94b
SHA1 41b76baece1ac111a331826ae249ac5388d30e1d
SHA256 7b87220ddedff1f5ce5c5006af04d6ca61937775d273294f88975f80a336c253
SHA512 525639adeff5178284ec2ff7ddba2d353b02e77ba17587c6c25e441edeabeb6177d2063ff790d7c7d04ad0e540ccfa1c99b3f81a7c8d8c55e20d2338d908100c

C:\Users\Admin\AppData\Local\Temp\sAUY.exe

MD5 79fcb4aeb16f1c4ed4a6ea40ad5a81fb
SHA1 259aee6bede6639fcfa0b93b242cf6970ba8c4b4
SHA256 5f88d10957a5bcc39ebdc3c8dcc854e11047741c8e558175034e5120404be806
SHA512 d07111422f0be00772ddf57a05478ba77626f2251a6cf22186c67416a18a983ae2a0a827ea490536b50d90172304234fc096f20eb7502d482f1dc97519740789

C:\Users\Admin\AppData\Local\Temp\Scwk.exe

MD5 025415877b024019a2d2ebc8bcbd91b0
SHA1 4ae4dd993f594f3d68dfa541edfb855dd6e5e057
SHA256 2dc33c229f75a6cada7147055afe7a0ee66b9e17ec23d89be2cdf8b7412c34c8
SHA512 af2d4b65d091b4d428d68d8900608fcbdc7b15571489c74924b7fc46d3c19b7ce3bd909a30fa43214598e2fe4a61512261f39ac465e0f04fd0e52cfdfaa5e9ec

C:\Users\Admin\AppData\Local\Temp\oMww.exe

MD5 a47858b1c18d5034c088c9146546ef51
SHA1 947f67e329e1ee59f37f4aa4b53173bc6b36f27b
SHA256 ccdd2a478e517455a76de4932c170c0da2e810d418d833713585cbecfabeb73e
SHA512 2f29361d1f86bcbb2e383069bcb426f2293e247cc9154c24faefd7c1393f7cef9651ddeb6618ccaeab281cb2706353d82cd2f57838e4409d86dbc7e1abb48ee3

C:\Users\Admin\AppData\Local\Temp\ackQ.exe

MD5 52dd8b2138490ae99c61c68c9be1b153
SHA1 acbabb05e8e623bb72e0eb1e190a43eda846975a
SHA256 d9258cdfbe46730ab7ff7d484d27b439994fa66d0a6fedb1ad774d8abdd86cee
SHA512 4779cee71c308cf30a2e63983cba33bcecbcb804d7ca6dae8d1cb14da368d4bb2d5c922e964864b983607ff6ce2617c2dfa5c9354ba19958dbda27bf720f4e99

C:\Users\Admin\AppData\Local\Temp\iUcW.exe

MD5 d4f07811f02116c77c5b8ece93698841
SHA1 6575bc9304b3e8d5940c568d438d64f4670d4ba1
SHA256 2ac5ec7e57bf5e122d8a6f416155662231da7b587b304471a9a6296579a23893
SHA512 cf02227af8cb802788f7c8cb095e802f16d8478a03aed30b9c4f3b94c61a608b0c83ba8ce403e5421e61bba3f1b837683c40381019ee3bffc5198702133e6a4e

C:\Users\Admin\AppData\Local\Temp\GoAs.exe

MD5 1c682d9c1a8201c71bfd03fecfb48b1c
SHA1 215c7f8e1f82406731032f13f100e262ec1f383d
SHA256 f512f0a73c00b784c62aa0e79edf2c9d51f2f56c105604e06f8fb4fe6c6e5a13
SHA512 151845702a6c7eb3ebefaf9c876ce9f13a83439dfd5399d3648a75982937c649a0afbcf6bf64d4f8f84656e1a5e1d8e05eb5de6a566805fed4ecad4135450151

C:\Users\Admin\AppData\Local\Temp\uAwC.exe

MD5 80bceef322873ab2a4a5ee35a8677267
SHA1 471a97e377cff390c7c20d22e1dd88cb861c5952
SHA256 5162172fc0e3c06d3b9a92a42680950df252b7011378f5c380e072b4c7f35c4a
SHA512 f949c33f97a33ee155ac671707b0b89fa40452e787b32d3809d6056c3f5965758041a688329a9438f97895c898d306bdb0891fcfd6baa52ffc261e2a35b680c9

C:\Users\Admin\AppData\Local\Temp\GAAW.exe

MD5 18fa540816936c40b54eae6b13044101
SHA1 8ae553866a9b9dc5e2b85c72c6b84513f800d497
SHA256 3e6e1cfcfe90874eb8a74248e5961a649af4c9b97e7d1e2748347d002b5ca9a9
SHA512 18909ff0b065986322992fc1cd64921599cfddf250f83babbd20a94da74ed84e610e8be3e16236cdbd7e64107fef1eb8efdf1c46aec967b2f2b3c06d79244d21

C:\Users\Admin\AppData\Local\Temp\sMUG.exe

MD5 93f0ced934624f28f2da56ede3c68fa2
SHA1 1beec75b56e0888de42f8627e3104c2beb4dbce0
SHA256 0c0048a79fb0bd28891272c813005608424d5a14694969edfc7f92554650c25f
SHA512 6113375391744840f42af9fb7ebf9d6d4481adc8cfdf6814a805ce71dcc236f3803a09b0ab41d33689d3e36a943edeecbad67da07b9247089cad9ec81c37b896

C:\Users\Admin\AppData\Local\Temp\SQAy.exe

MD5 22f52be9824446d72d91c0a139e86c41
SHA1 191f0159baba315dd48ab11bc69925e9a5539a19
SHA256 61abaae3d708cc8218d84f7503514b43626e76c5cda6dc0142bea7caef00b747
SHA512 0c3aa600b3d65a0847c943cb15b634fb354e67e141e7d22a3850151beac0ab3465aed921b46463aee600e9809697f072eeb132481848dce4537f8074802a7135

C:\Users\Admin\AppData\Local\Temp\qEsy.exe

MD5 6c9d7d206b6581d12c1bac4f8f202e71
SHA1 21859064722f5b1ab072127443d9316ec19d4ebb
SHA256 9476398779c41cf3e65fab608ede56fa57daca86fc3b5af8263cc62807ccca69
SHA512 3afb0aad4ad896756b21fa76478e2aeb94ebc542640510a35d14ccc4517eceff598d00261a4d96c3d3edaa21844ad1b2b6981ccd889d48279d753e84f273cc02

C:\Users\Admin\AppData\Local\Temp\Cwke.exe

MD5 8a8b6b7beeac70f1660e34202ac53ace
SHA1 b48096482539aedf71816aa1f72013c4adc0e898
SHA256 85cfb599850a59d1de0953b3bbbb4d6c226eeb53a34a14bd79727b610a76ec9f
SHA512 4b666923913f8353ef6259a1750ac9d7f1f4b496d565a398a267fcc0c441234c99530e9aab72ce334c53f78df8a23f9fcbd7926e10012ed14a8dde63e3003596

C:\Users\Admin\AppData\Local\Temp\IQge.exe

MD5 05d44074e11d06bb33d76089f69b27c0
SHA1 c643c4f3a19639cfec8a61f1837f6e9055c40c8c
SHA256 42d5ff8733228f850ee9b4df52aac4f0fd747b07c943e2dbf4c791387ac2e5a6
SHA512 9eceaeb594b2a0771bff9896c656d78bf3df9d1444269cea40001af078a4f7afe90e238c68ab84bfc7f6512d5aec66de95930d82d1c713f4a9819b9a6c4e9b09

C:\Users\Admin\AppData\Local\Temp\uAsK.exe

MD5 6454c617484c18b853629930560a314c
SHA1 d0d07026eaa6b36edd32674fbfe1538705c98c64
SHA256 b8fbd76279467f5a9eba1ecd52fb9fd985f3253ef8b100d134d5d196b5846a4f
SHA512 4eabc5e5a91d18d0f9d94c51b712d863472a6914322aa1f6ce3e4e8e312f99eddefae533a7c540aefa9f245ed8b1349f6d5a32884081b4d2786f616ef1a85919

C:\Users\Admin\AppData\Local\Temp\cMco.exe

MD5 9443f3a3c735ed8baf5e4ddcbaa7ace4
SHA1 29d5f21fa7789fafa0752fd818693bdf9023be57
SHA256 a81c8beff5f2bee81952b653efcc6b3802ec4f8c91c0c66d2d37ffc859e44c32
SHA512 9bc8d9268a2a01a51e65632d18ebb041fbfc2ad7c2275e064baa3a75729dbe00156e3aa51be522d79fc01690e53cd98add7040209bfcf81cb25ac728c1afd141

C:\Users\Admin\AppData\Local\Temp\aIoc.exe

MD5 d4c0b5a56d477b602f0841bf0d0fd33b
SHA1 b3b1ee0e33ae39c3f7115a8c5db88a625a98647a
SHA256 06b7e3f941f5660b830f2add8a73bf1088c34cf36a5d3e0dcba9368043f24ab9
SHA512 cda1078016e52d6221f17d504feac4d19e7683b5dfc6a6a679f7f7d82344b01dfdc35b4daf042a59d41abce59c3b6e06eab73554b46f5c661a254c39dd7c2b05

C:\Users\Admin\AppData\Local\Temp\IsYS.exe

MD5 cb4974f3a13ed31767726bd43f5ce13b
SHA1 9c6b494746e434eff7c684786fd3635834417246
SHA256 7773cad17146413848fb6efb2210234d75fa4ef4125ca32ba87b50524d4ca846
SHA512 1168c9c9988a7f71ced1a8db3491553e98a2472420c146432acba4983288ff3c330aa78d40826a163498c3b8fcce2250114c8aa46ba3fb6ca615e6057dd3c529

C:\Users\Admin\AppData\Local\Temp\sUMO.exe

MD5 93cba82bf02de19fd5d0106ddcbe3a78
SHA1 871f6743e618b985fcb53d2ca8d5f3a5a85986c5
SHA256 1b0833096937775d40f1671f5caaf6ac0e5589cd1b0e726c1f1ee2d13c052fcd
SHA512 4ed5c426b676395e25f9c05a6ce96ef3e45a0c83ab3bc537df45cb8fc67e3dca63e860cb7e08e84b6c8e1d9f165c1c9f38adb3173494e7acf62396bdff999187

C:\Users\Admin\AppData\Local\Temp\AYMU.exe

MD5 7c12cc983fee96fa8dc800cbb4f8de19
SHA1 1dcf96136315aa0411f244b67d008bde66c22e9e
SHA256 260751828288208c5ba0a52416f2bc21f44e191a784085db123bd75a0462a791
SHA512 a0a23ce6a7490c741f8348582b0102e35dfed16be592f187988578cbfa905ef402db3e752de71c8bf8591123ec376110ae8eebcc5aa2cd5caa8838a1a36a58a4

C:\Users\Admin\AppData\Local\Temp\GcAo.exe

MD5 c59f7b2f5906890aad402ea765646835
SHA1 385e889ed1e496b510217ab5b68af5a0e0991e4f
SHA256 8338cc445dc0dac43a662730bfac08d53b5209c2a394ab58294da26ec4025419
SHA512 b011a1debb7aa32663192ba024f022516fa4785bf27d7074cce37965ee0cfb6952158757ee54d422ead0c22a60a4566359c59e7961ac780b8cea520338d327a6

C:\Users\Admin\AppData\Local\Temp\KsAq.exe

MD5 7215db1a6695c201b787e031dbd2cccb
SHA1 cf8d2f2d3024db4e437f8cd0415e3690a92bd0d6
SHA256 b605dd81ba2e440cbb9cae35c94c9f3f448e596d83c05d2e90fef24cf5ede02f
SHA512 4edf56a6049d6019036c33c1720b1af50a65b4721fe911fb0237c4ec811c9fbd9b778fe26ea786ae34569925300633ddd309573837e0f14a4673e702ec993853

C:\Users\Admin\AppData\Local\Temp\CIYS.exe

MD5 8b21906cc2b74997d2f05d7f952a1936
SHA1 fe3930bf2646a7ef1cd18b437b029ab79f5a31b3
SHA256 91d5ba6d26f3f5771514ce58895f0ce141efaea81c20a03f1bd2a077557d206f
SHA512 bdb412474c5506a140da3fdc0604dfc4e55c3a75eb6f86c0073e1da8c2439b7a0c51e6fcd601f7fa2e2754a99833223daa48d1b7bceba8bfa9060d0a117d66a7

C:\Users\Admin\AppData\Local\Temp\oEko.exe

MD5 682499974c224c5cfe5198c849016efa
SHA1 235ab000e8cfd9b51c79fe8bb84a98648cca1db9
SHA256 07b7b5c7b4688758e217a4ab7a3a463628b5d1de43c714f36ee8634b04766f95
SHA512 0a1f83e82dd37a19b52bf9fcca9c0c628dfd660059871365991b2308420ca824f6de91e811adc2c00d8a08b293f2c94f8e017cb715d742f3a7eb47d2d72f1c4b

C:\Users\Admin\AppData\Local\Temp\wEMK.exe

MD5 7b5346c7e032923f4da8b88207b08d9d
SHA1 2f56cbb12947c2b1cdbdf39d0dad54c202566a0e
SHA256 aece0481f4263e0c1c158b88620d8cf613b81d1f3cf962cf15c023d7a85f0f60
SHA512 361627803421ead9637f41bf7d7d9b7de12fdb3150d92e7b158e10c18cb76b3c292850dc468913b2c4ffc0215ecd41be8010070fede0ef9cbb07a4615881278a

C:\Users\Admin\AppData\Local\Temp\mccG.exe

MD5 6f2d3bcd39bb3e79e4aa658ec93bf36f
SHA1 b2a828c0b71a85cd40bced30045a499a0199d85c
SHA256 2e29b1f3d69bce1c14bc76285898a6361f199f100975a9b7e3e1a74332beff8c
SHA512 5bfd8adfa4e43ef77ab5d4872c6ada55a92b38ffbdf89d8b09018c44d0fa8169a3d492b34b126c439520c15ec462d236d73f2664f836fc1e9d7c475d1c3e7683

C:\Users\Admin\AppData\Local\Temp\AAos.exe

MD5 b4f62265686d4346a24923836246ef77
SHA1 d308bf3de5fcb52f23a150fa07fb46b4dbedd531
SHA256 de61aa409c6ae43f07753bb7038d43ad65526aa23ed023461daae9f317de1ed1
SHA512 7203291fe6776f10aeafcf1223f08fa0336a704c16d134f27eb812e1543c98a4bd753e062735c0e94379ecbcace6e05ce5441f5df67395c305dc7223758dd48e

C:\Users\Admin\AppData\Local\Temp\kIku.exe

MD5 38949cbc0d7c32b44fd800bc5bcfe06e
SHA1 3dabc29bc8f13fb9af545383b69c9e9143a5072b
SHA256 8e8a3528a005cdc5b381e10c5032a236fcda0437e57e2136a503b109e6f1c5b7
SHA512 ce5ef27e19f2745a4f65bcfadb9e40658c6888feb7e741a61c57b8783aadfff92bf84d65cde1c35721670a6daf5b18bd58ef563bf3d423f6bce594f0b4b6049a

C:\Users\Admin\AppData\Local\Temp\EIcC.exe

MD5 d371b9585d5f2fda61cfe350154bc898
SHA1 e7e2ba9ca5b94d05f3ab4479bb10e7660c077b93
SHA256 55a073c0e9c5d9bdda1f7c4ebf7f34539910b820dcdacf3df7aeeed395522895
SHA512 bc63c8ca3231cc5005d2b1827ef212b75fdeeefb68787bf21d730d0cf5ceab25793466d01c5e41c1b37a3c01029f027ada548f2c2ce12f60326444e0de3353f6

C:\Users\Admin\AppData\Local\Temp\CssQ.exe

MD5 df6a4ad26d2b498e2a24bd0df72e6ad0
SHA1 e19d11efe7768704ca362a541e9306478b7ccf7f
SHA256 481d998dd0a1bba73c9053f93ea81f75bc0309b3c13bd8dbddbd51b5440204d9
SHA512 856913af7518b43ab810daa0401997009c0428d31323145478fb506910f45343579bddfc609afd46fe052b4e0711590a7a07dc95009fbe60a60a7ab5253254a6

C:\Users\Admin\AppData\Local\Temp\qAYy.exe

MD5 ab612371cd2c4f09202d9dbb25dee282
SHA1 a7c3647b9608a98bbd53e06ebd2a2f0ed1acdfd1
SHA256 a9cda6e63ac135a3492995145984f9b2c5664a8719294a625095ad9c63c8b5d5
SHA512 8dfcb76dca742102ae5a593744023ebbca45f5ca3c1344ce5e64c1369bf77c2adc6959441cdec7cbda54d990e7184b887166ff4be4ccf80a71a28c52aa486375

C:\Users\Admin\AppData\Local\Temp\koUA.exe

MD5 c9db21206d77a570058dcce347a33ad2
SHA1 9bfcd3f087446946aa7b150adeb0f585c2276cc1
SHA256 739ac679c01b04c0f02467e36ce79e0aca1837510e52c7e681fd8e0bb48dc4dd
SHA512 d1871ce328670e119c5d984f05bc25adab88fe7dc12241d5d5d40ac7c4d38393ec19683614799a5669704906f6c7d5e21ac74cef28442bec0c0e1a3c2b9c6d2f

C:\Users\Admin\AppData\Local\Temp\OUkA.exe

MD5 3faff653bbdc7bf36d4e783889bed415
SHA1 a0cf4aacaf750270c478c3ebedf6d0e14f8a6972
SHA256 d46ad1018fdd9ac7ede958ea453fd9f99fdb83efefd0fed9744afa7a2e932c98
SHA512 2c4b032792751d5d0596064571e0159139ce4c56196d69bdc8050b60e408d4685d4e7ed9c7d3f0ff3ef886343de809d7ad60f66ad9ec5b4d7090f8c5d8ed161e

C:\Users\Admin\AppData\Local\Temp\qIoQ.exe

MD5 c23e410ede6d13daa24f94b0ae6ebc48
SHA1 ed7a7e40069f5c2c3144fc715ff75552f366a185
SHA256 1c6d61f9c8119d31cbbded655c0b913ec4e07a4744f10dd370c0d503457f757f
SHA512 37da1591cb4269bbd522cc952ddae83faa406fb55d63786a2adb26faa67df1812eb4721ec3c747d505d9e3b3fb29f203082448d32a325af6036319448d35ce52

C:\Users\Admin\AppData\Local\Temp\kIMY.exe

MD5 ab7003ad9be4906bbb03d0695886df70
SHA1 618029f50db53b9099b7ba088272510694f1e066
SHA256 30500507a2ba2fa0c091ea598722d37ad7539512d781ed2f617e050ecc608b20
SHA512 769f1e1f7458457d088d5b60bbed2c8631407a06750478b505b713943ff847507e38efe722aa4ffeb270afc22c34e3bf756b7d1211c2498086f65fa534f534d6

C:\Users\Admin\AppData\Local\Temp\Iosi.exe

MD5 aad230386d791001cea3625bca5e86e2
SHA1 ea935c066ee586ec70ac7ff8466fff4887f7dffc
SHA256 6bebecf0339a67be1dac5b178f26683903d06fd8583bb269656f6351be015be5
SHA512 9d35e6efcf9be7fcbc14d4b44cc7d6436fc16953b77638a786df00508ea418340a92bbeb4f6c26215bebe6c6b9ce84eedfb539fd11ba287c3283773123b8895a

C:\Users\Admin\AppData\Local\Temp\KEIa.exe

MD5 d520a338c135f32e8f2ac2dfc7bee24c
SHA1 a33afae89b1fa9d0b0e049b72e7b3f537ad2a3dc
SHA256 86140e4a717d179c305674f4f4e74b2d6b1903382a768a5e4f2d2e18ea7badd0
SHA512 b5a70a59845d0913a9548892acd1c62ca8de707a3180c0295c60d34402b3d676595a2f97bec2cb0c37816a077c20499f3852f6a91f16eaee8503405a01dc89ee

C:\Users\Admin\AppData\Local\Temp\owgC.exe

MD5 51cb08d11c8b70538caa117a4631d472
SHA1 89842e2a3b432a5b96b48605f7d44e8e67662a6d
SHA256 06ea9363aae1049cb1e3ab9f80fea239d6f299044e250c42d9bed83cf27cf4c1
SHA512 3f5f67624acc0a54b4813cdfc02138274a799866515221a5beac5cef164d38994b443eacd6a9ad628a9de4184503dc29cfd40740cc4413fc26bf1fd315a26665

C:\Users\Admin\AppData\Local\Temp\qIYk.exe

MD5 408cef2b6b04e80ac4ff128e55a881a1
SHA1 ea18a4c7a3a1921614e6232d0890f87d57ca1f80
SHA256 e93fb8d59fbec840bb514747bfafc169f5b375f0d6d19cc583609f9b8584be44
SHA512 678c846548d6cc7a429fe70d89645f9a072bc8b4f465c9c42a1663c14b3bb538a09f65b146c15e533764344a064613da63093a1951136458151788c1a75813c1

C:\Users\Admin\AppData\Local\Temp\Gosq.exe

MD5 391c180bb1c6117862a26a2b87c296d6
SHA1 4bc424214037958c0c81f38db377b83ed12141ae
SHA256 527ac9f8438ff662329e902b63e6ca11ed3e908fce042f97890e850fa0d5e03b
SHA512 4c8c59db9bf7d3bbe60b70c8db80150a0e80ed0c5abc53b90e4ff17b753a1e3343a7e5b0f9c041110698e67abd7c1ad3c5167337d62b97e61ad12c3d02ed604a

C:\Users\Admin\AppData\Local\Temp\okIO.exe

MD5 0b1e61dbca3e9c5b3a4af8e27a646070
SHA1 9b95a488957f12b2a9f158de3c57f2d031148441
SHA256 162e159900e5e2698a43aeb1f35968baf3a2ff3a534e26ad2b44a79894fdd07a
SHA512 836b7cbfb527f95de3e258f0c9dd951b65afbb462d2a8c09c1f263a4430ed68dcbb2418328069db1848e8ecdf5f0f4333df43961d9e4a08be1f4c2770e23be15

C:\Users\Admin\AppData\Local\Temp\GIoi.exe

MD5 a42ced3f3ad75ebb1e0fcdd412f5ffdf
SHA1 6a188522f2397b0cd59adabd20ef808af190f264
SHA256 2bea8e0ca540231b14da506ad220d4c49b05cd49bb917ed8d4ec57b3ab68bab9
SHA512 01bdb69afad2b96fd73e6825a2e4f0eaa50b77e670c87e3e516e09da6d2e958bcf50808057aa8a44787aa60c7aaceb64ec749fd489f2ffd63a62bdbb08ec2ac7

memory/2488-1028-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YggQ.exe

MD5 406c5a7cc703277ffaea7f2d371e3657
SHA1 33e5d019a1bee4a84758fec64b0c3201afc4816a
SHA256 aee3bcb39fe5b5d55e704f538ff0f9c48b13c0b61f74ad6d4fde2d9abef30659
SHA512 ca90412b5b1b566ff9ae6916ddfd8e4cfc8f952d786fe39a3c34ffd63174bd43e6d5a026fb4036b1cd7825a9344dbed82e4e5b93d266644e4221ae57bc00c9e7

C:\Users\Admin\AppData\Local\Temp\yQkc.exe

MD5 6b8c9852adda24b91efd050c05fa2534
SHA1 c31622a6fb29b00a3511f6597014a50755bab29d
SHA256 1abbe9c638881523481d07e5f8c36086465c7218dfecde18589948a965f19719
SHA512 d49bff04cbd07a8a3d1087814de45908192b855b6fc3fa03bac6c9265a2b24a3b04be3d30ca17d65d4653f4934be3f5105b77133f7761ba2f454b700e96fda8f

C:\Users\Admin\AppData\Local\Temp\AIoq.exe

MD5 eba98196e8bd68d3499398b05da9b50c
SHA1 2e34dc5201e74ee4565813aa6f7f70dae3b1a687
SHA256 1166411ca8cb51ff0997f259a26feb7676f1deb88080a50eb03e7ff817accd3d
SHA512 cc1ae9d595e560c74bad934514bf0eab893cc9f964ae196c130cf3af8a66b551f328d31fd0ee85f85beb892e7c0b5b0562b3607dad28ae2cfd9b7bd7494376fc

C:\Users\Admin\AppData\Local\Temp\uUsu.exe

MD5 76f93667356a77e96c73f1cd822aeb80
SHA1 fed63ac055973b320980e907fab91c73a03618ba
SHA256 638bd43ea0b8491400b156453f7fbe4b6790bd0c9c3a90b60568f31007aa7675
SHA512 ae6b066fbc3afd913d39cfb1dc3f0a49a75e105c411186601319ec8b88c9ec8575af037b1115d194b67bd121fa9ca7e4dcd8b0dc88cd933ade2d9899872fd6eb

memory/4588-1119-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

MD5 ee81fb914f0cfe46be77fe93cee88cb6
SHA1 78eb805f5ff25b9f9c640a65200197364cc28a9a
SHA256 bfbf07fd3d6121421cd97fa790b921fbef53a9d8a9b0bb4e6b7be5fd9e731d68
SHA512 69a08fa531d4b16ee0899b30577e1af772bd0d81baa3d3cababa58440c7fc63be24f65b28e4c67be5769bf329f5f202e36796c22b4129130d07ad977b222ef0b

memory/5108-1125-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3104-1135-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2792-1140-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3624-1149-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3712-1157-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2792-1165-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/5296-1166-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3652-1175-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3776-1178-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1412-1179-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4052-1180-0x0000000000400000-0x00000000004BB000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 11:47

Reported

2025-05-18 11:50

Platform

win10v2004-20250502-en

Max time kernel

12s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\PuUQgkwk\\oOccIooU.exe," C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\PuUQgkwk\\oOccIooU.exe," C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (53) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MwswwYsc.exe = "C:\\Users\\Admin\\nqEUoAUY\\MwswwYsc.exe" C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MwswwYsc.exe = "C:\\Users\\Admin\\nqEUoAUY\\MwswwYsc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oOccIooU.exe = "C:\\ProgramData\\PuUQgkwk\\oOccIooU.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MwswwYsc.exe = "C:\\Users\\Admin\\nqEUoAUY\\MwswwYsc.exe" C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oOccIooU.exe = "C:\\ProgramData\\PuUQgkwk\\oOccIooU.exe" C:\ProgramData\PuUQgkwk\oOccIooU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oOccIooU.exe = "C:\\ProgramData\\PuUQgkwk\\oOccIooU.exe" C:\ProgramData\DEkwIMMs\IGEYEAMs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oOccIooU.exe = "C:\\ProgramData\\PuUQgkwk\\oOccIooU.exe" C:\ProgramData\PuUQgkwk\oOccIooU.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheEditSet.docx C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUninstallUndo.wma C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnregisterRead.pptm C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\nqEUoAUY\MwswwYsc C:\ProgramData\DEkwIMMs\IGEYEAMs.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheRevokeSwitch.png C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSetTrace.docx C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSwitchRequest.xlsx C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnlockTrace.docx C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\nqEUoAUY C:\ProgramData\DEkwIMMs\IGEYEAMs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\PuUQgkwk\oOccIooU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\nqEUoAUY\MwswwYsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\PuUQgkwk\oOccIooU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\DEkwIMMs\IGEYEAMs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4288 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4288 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 4288 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 4288 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 4288 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 4288 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 4288 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 6064 wrote to memory of 4796 N/A C:\Users\Admin\nqEUoAUY\MwswwYsc.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 6064 wrote to memory of 4796 N/A C:\Users\Admin\nqEUoAUY\MwswwYsc.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 6064 wrote to memory of 4796 N/A C:\Users\Admin\nqEUoAUY\MwswwYsc.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 1472 wrote to memory of 4640 N/A C:\ProgramData\PuUQgkwk\oOccIooU.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 1472 wrote to memory of 4640 N/A C:\ProgramData\PuUQgkwk\oOccIooU.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 1472 wrote to memory of 4640 N/A C:\ProgramData\PuUQgkwk\oOccIooU.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 2248 wrote to memory of 4744 N/A C:\ProgramData\DEkwIMMs\IGEYEAMs.exe C:\ProgramData\DEkwIMMs\IGEYEAMs.exe
PID 2248 wrote to memory of 4744 N/A C:\ProgramData\DEkwIMMs\IGEYEAMs.exe C:\ProgramData\DEkwIMMs\IGEYEAMs.exe
PID 2248 wrote to memory of 4744 N/A C:\ProgramData\DEkwIMMs\IGEYEAMs.exe C:\ProgramData\DEkwIMMs\IGEYEAMs.exe
PID 3768 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 3768 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 3768 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 4756 wrote to memory of 4948 N/A C:\ProgramData\PuUQgkwk\oOccIooU.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 4756 wrote to memory of 4948 N/A C:\ProgramData\PuUQgkwk\oOccIooU.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 4756 wrote to memory of 4948 N/A C:\ProgramData\PuUQgkwk\oOccIooU.exe C:\ProgramData\PuUQgkwk\oOccIooU.exe
PID 5416 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 5416 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 5416 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 4720 wrote to memory of 5860 N/A C:\Users\Admin\nqEUoAUY\MwswwYsc.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 4720 wrote to memory of 5860 N/A C:\Users\Admin\nqEUoAUY\MwswwYsc.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 4720 wrote to memory of 5860 N/A C:\Users\Admin\nqEUoAUY\MwswwYsc.exe C:\Users\Admin\nqEUoAUY\MwswwYsc.exe
PID 4288 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4288 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4288 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4288 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4288 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4288 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4288 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4288 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4288 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4504 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4504 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4504 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4932 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4932 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4932 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Users\Admin\nqEUoAUY\MwswwYsc.exe

"C:\Users\Admin\nqEUoAUY\MwswwYsc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\nqEUoAUY\MwswwYsc.exe

C:\ProgramData\PuUQgkwk\oOccIooU.exe

"C:\ProgramData\PuUQgkwk\oOccIooU.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\PuUQgkwk\oOccIooU.exe

C:\ProgramData\DEkwIMMs\IGEYEAMs.exe

C:\ProgramData\DEkwIMMs\IGEYEAMs.exe

C:\Users\Admin\nqEUoAUY\MwswwYsc.exe

DZXW

C:\ProgramData\PuUQgkwk\oOccIooU.exe

BLQV

C:\ProgramData\DEkwIMMs\IGEYEAMs.exe

ZKFN

C:\ProgramData\PuUQgkwk\oOccIooU.exe

C:\ProgramData\PuUQgkwk\oOccIooU.exe

C:\ProgramData\PuUQgkwk\oOccIooU.exe

BLQV

C:\Users\Admin\nqEUoAUY\MwswwYsc.exe

C:\Users\Admin\nqEUoAUY\MwswwYsc.exe

C:\Users\Admin\nqEUoAUY\MwswwYsc.exe

DZXW

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 api.bitcoincharts.com udp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
US 8.8.8.8:53 maps.google.com udp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
DE 142.250.185.131:80 c.pki.goog tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp

Files

memory/4288-0-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4460-1-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlockOHBL

MD5 9134669f44c1af0532f613b7508283c4
SHA1 1c2ac638c61bcdbc434fc74649e281bcb1381da2
SHA256 7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2
SHA512 ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

memory/4460-4-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4288-5-0x0000000000401000-0x00000000004AF000-memory.dmp

C:\Users\Admin\nqEUoAUY\MwswwYsc.exe

MD5 df455ad3f300fe64569506c558300779
SHA1 6c402c8b87d4311048fb0c38664aa17618748ffc
SHA256 78c00968b82c382e5bca8fd7a35c42ea342150d841289f7cb89647fdcc1e9836
SHA512 2f708c9dda073835b9a7c3e08d60d2d48ecc2c55085f6483db6cfd67df51ae031105213b4701142bd9adce65a255503f8af0359d0e9239af2bd64cc4549e2e1c

C:\ProgramData\PuUQgkwk\oOccIooU.exe

MD5 66dbfd80b4d6b6b4224dfef6d9ec4f0a
SHA1 f46608c8af9f31c2d71dd02dd12c542eb594ed78
SHA256 168b3e5df8b3a81e57383a5b5c8743282645fb6e8e9beb50fd555c7083fbb12b
SHA512 41ca93894202ed176d022059eb8cee8647a391954242308fcb8e15d4f93dd809a06dae22ebbeeab5e550dfa4934372004b326a611396b5978c9d536631fadd84

C:\ProgramData\DEkwIMMs\IGEYEAMs.exe

MD5 f61a21159a284f151986b5e833040b1c
SHA1 f47eac377bfa579cd4b9d1308fda23b3988eb4b2
SHA256 3666ca067aef9a8c0b3b57b21a9883991ba76c41a7550f87822e74c0f66652aa
SHA512 f2aa1ca90e37b42673f002fe819a04c632c1c00b2130689b2a57b3139c03d007672c6c075ab2730493cbd0e426ebbe7f2fbf529c1a902389f9950ee794a0f4c1

memory/6064-10-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1472-16-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2248-19-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4796-21-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4640-23-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4744-25-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4756-27-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4796-30-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4288-33-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4744-38-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4720-41-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4288-40-0x0000000000401000-0x00000000004AF000-memory.dmp

memory/4640-34-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1472-47-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5860-48-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/6064-42-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QQsi.exe

MD5 c3b205c16d2b105c64455911607ca713
SHA1 03ca1c1bd119816bdbd909e779d92bb7ec4997b5
SHA256 a8989bc6b006df63b535011f1082d6884ceb273058cdcefb8f6ee27bbfb19354
SHA512 7caf8e86dcbbe6dc42b104bf6e17e75306a2a2c9fbc39c0b4fa6c0e51bd2e1b535d59989e60868175ed58b6ed127b8cfd9905aec08b791e2b4b9023ece8c3bd3

C:\Users\Admin\AppData\Local\Temp\OGII.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\QQsK.exe

MD5 e1c308d711141be368d4c9e5c754bd04
SHA1 e47a5b1b59546177a78bda28aeb976b69374acc1
SHA256 6fc5926c252eef4c9a562b47cad60a4e6b4ec68ef4ad6876daab3d56ca5b79b3
SHA512 ca8947a9c462d04211d0e5af62cf7832b8863fda9227539a3b4e8c2bf1521bec581f084dd754ae7dc479a5c52dd63885d56cacab28b8a42b1821be8114223b2a

C:\Users\Admin\AppData\Local\Temp\AAkg.exe

MD5 05c568e04f75af573a20a6cfa0b19290
SHA1 55db1dd0bbebf3e1c606c43b823c0ce944fa7222
SHA256 c102cf43a01e7056b603c6fc46c4c466a8b2b5856212065905131174d2aa82db
SHA512 22de217a915eef413495f50f00359e95ea9ab4755110abbd8094685a4de2d223f4c9849e5dedbd346635e9666932db537ce9d30575ab3e71902bbc42c8b7df0a

C:\Users\Admin\AppData\Local\Temp\MUkm.exe

MD5 ef71ab7586c611ba4348959f026dbac5
SHA1 4995edcd1be251e043781a6ae3dabbebce772690
SHA256 b70334100cc45c51b43ccbe0756481a7f9d4b927ea760acee6571ed1fa83eb57
SHA512 d631a91dfcf787bab8a408c289828cac95a7b815192d9e761fba940b5345b983836cb2499a88a259d5044097299c94335be84912744170ff6ab1a09e0e7b3846

C:\Users\Admin\AppData\Local\Temp\AkAs.exe

MD5 3a6ffc92ea93bd144bf82ee7f9b51e98
SHA1 6bea885516a5f5a19423ef643fff7c221070e465
SHA256 c97e95d20eb01727cbebb739711f228d1a2fb603b85cb54a1fedee2a3b53eedd
SHA512 4d644b22c5e8b75c6601fcf83598c5efeb63b1bca616b1c1d5e799e9b69dad0f8d32924589c12001d85cfe0ff06b959faf91611d9996349a0297ddbc12e2ea84

C:\Users\Admin\AppData\Local\Temp\GAog.exe

MD5 0c719b69216baaf1a183cbeddd4f400f
SHA1 c11a86f6565721cc5e128f6d77920f1ea075b878
SHA256 a5284a99fb9ae023105592921d297ab89dd0574d622eef058e527fea3fa8c55b
SHA512 74a4a24e9bf357edbb2bfcdb9abc9b2b30c5bf91813fad7187a21f2e739d2c1a18c8a9847c45ced06885826c857dc6ed851eff46a079dcd8b2e59a4caff13cc8

memory/2248-194-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\soEs.exe

MD5 046023910fadecc6f2202d7396a3eb1d
SHA1 7d165a4e4c6c1d4f066b912a21b6f81dc343f452
SHA256 d2ee5b83d7246002b33425acfbdc1220d882571a867995d830c2672180777c91
SHA512 0297823ec29d7ea1348c618fb60e3295b8758e3c69664501c200c70c4026b7940cb8efe7a18ce87c567f5e74477ffd0426479b6ff32a9239332d4c76be542dee

C:\Users\Admin\AppData\Local\Temp\awUQ.exe

MD5 7abf3d05dabd365bb7fd195800b0eb1f
SHA1 f067dce5723d0c8083513017396b08dd56b709ae
SHA256 96d5ec34c15d1dde9d84c63645e241412e4f72c5bac986edb370bca159cd85dd
SHA512 b5ceceeb56642ebe125cbbfc94c0443082ce5707dbcdca4b60eb16d57214ba19ed7cf5f04d36424c0ecd8f1d059045594c66b17888e68bcd5c132128e6e1afcd

C:\Users\Admin\AppData\Local\Temp\mksc.exe

MD5 15899218bec0b7be8203c9cbeffac541
SHA1 9b056e6cee478b27c9cb153c1b32c8fb447cce08
SHA256 05544594c7eafe69031efc0947423fe53a7feff338327ac484bcf857f2c7c0c2
SHA512 3ec3865f45e8cec636a67c20aa3864d1bd21a322c2f34f62f8b360f85ba69f779e4ee45e08d7c18e86d3f169d110395518af971ea7626e806980e160b348b43a

C:\Users\Admin\AppData\Local\Temp\CWMw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\uowY.exe

MD5 306a6017ee39efa6d7a4fb8c653f3f8a
SHA1 335c0822809d1389526fba68ad59ec6c97732aaa
SHA256 071e2eef32c7cc3a496101c20dbfbb31ae303f4d3dfd893a3df0d6215e4239af
SHA512 df89cf3997c85e214308f744fdbf7a297bdda58f281752ac95ea77bf19939a20c60897788977eead7c8c5f6a0f7b97a49c9d2d6d0608adc70b2fe2944f4b1931

C:\Users\Admin\AppData\Local\Temp\eccq.exe

MD5 47ce5a4632751780b9a818b05b7033fb
SHA1 55f23eb0e230e2b4a9f0f61028f3ba69ceefdd45
SHA256 13b135596ffe1252b9744d8b7d6f80b0ca2688300e4e6a3d64c7c4bd210c978a
SHA512 8a4117631eeec670fe5038ffa64a5143f6ff57bbdfee91c60fb2f01f4452253b1b9298a9159f8cceaa1e03b060685f98038fac686428675b56e8018e200ed9f8

C:\Users\Admin\AppData\Local\Temp\EEkg.exe

MD5 ad84e47105af5907d65b9c3432c54973
SHA1 27fac026ff054a3a0b820e84467f8098096ebed5
SHA256 ac4591763f5c4cd51a0076645a5ec92e2538e7c4df178842d816f80d998dc4ec
SHA512 6d31a1cfeeb5f6daa5955b065dda29fedb8915bf3cd88c4e887f8aa40e0d0593b038482e4eea8b6c78b58cc4bfd936b36b3de35ed857e016758fa89eb8e3cdc3

C:\Users\Admin\AppData\Local\Temp\mIAm.exe

MD5 a47ecaafd695758a7eba8dd0ced42a0d
SHA1 dbc9df8fbb1c7c8c71aadc2cefa436932f7c44f9
SHA256 f2db25b85e1dd243be7c58b5687dabd980b292819dba8d048abb0313aa394b61
SHA512 227ae7cb25a683ed1d69e4535cfe2aab29cfa9b9d926b52b29424a9824a3ffb5164e14f024d30fabc3eeebf32f04dd6f16551a0f6986841eca3f6ae7324b95b4

C:\Users\Admin\AppData\Local\Temp\gQEC.exe

MD5 f1c41107dcf216f8feb3fc175890aed8
SHA1 88bc74d18305bd42fd9445f398cbf6ee49b47518
SHA256 4058ea83a96febd4ef39d127ba23394a863f31ef752b8e2c8ca26d1ba8005f96
SHA512 ee87e15663153ec4af7692da949ad021169a883ccbb81746038e9dc60eee46859591e13a5d6cc2c0d31c257e160025a7433649264ac042dcdb30ef641859370f

C:\Users\Admin\AppData\Local\Temp\WwgK.exe

MD5 998a7b7db8f04dedbcc4cf8bbd2a4fb8
SHA1 79f282de7ae17e1dce0865486ee7fb84e2b94e4a
SHA256 3f504cd2c617607eb4ffcd3ec318bc032b0245dc7981d8cbd902dd174255e04b
SHA512 f5142075feb0dd027c8c4d2f3354518d1462cd40b1af280faf781f388ff5e85474fc58ed7ef57998585ac33e3100e62be56d63ff7a54474b1f61bf6f9d9142d2

C:\Users\Admin\AppData\Local\Temp\MYEm.exe

MD5 5149aa250973d278fdc411977d9a2d24
SHA1 61a3c0390b7fb28705084206696f8eab1d146a5b
SHA256 2f45ad634551a5b197c0e59ca0287bec98b60e313275a3e48bf26c7b7e15123b
SHA512 c294a819923c0ad0c399c5a4ca84b70f3a174ddf5efb3a7af5578c0f51fe3ea760327ec3ae7dc0aff25ffc6882378bd070087985efc764608498cf614944ce30

C:\Users\Admin\AppData\Local\Temp\gQIe.exe

MD5 5cf628bf5ec47ee7f9695e65c829b627
SHA1 da38d067fee5f7b58bc19bfb3c21ceddfb853f71
SHA256 42d7176b28873bf0813f6f47dbcacb0e4a2a6381ee3619a9b75fc70246ab7b77
SHA512 d1abd7e6b951bc405b48a5d4550c80022a51077ef861b8a74f03b8cb3de53e81640700a4f9c1c7b7181b18093ebc387def1e22b0197b9d82a3076e28fbd78798

C:\Users\Admin\AppData\Local\Temp\iIse.exe

MD5 4d453151f454593cfdb4eff230d95ddb
SHA1 8a7082d1025832d56061464eb0203e8176bc5761
SHA256 af7fe9a3f81876a94c3f525abef5792b10c3f70482fd0765227d426e0b9f6b6f
SHA512 d1f20992d88db558fd7e8848f072a25d4430ba07c431ebf547c520e88a73e9d7cae495d2a541b1489028d8e312f13f87f493971410313e6fca13f286dbb31aa7

C:\Users\Admin\AppData\Local\Temp\aAUg.exe

MD5 cff3bcbe20961aead1062d3005a1b6e2
SHA1 d733e43ef573cf88724386dd2c1310df1e1d78b1
SHA256 5f324a7ec08383e11310c77c97824a6f58dee60d40ae5fe00aaacf38c16cb1ff
SHA512 f29a5afa5465e875903f36fcbc1cc3a22ec57e433c23344548aec3c77a034013f5129a8f16f2fb498189e7426abb1776dc59322738ce15b4bb815f7381d9eb26

C:\Users\Admin\AppData\Local\Temp\ecsK.exe

MD5 49c2db98a4e4af92718d59e6af5b72b7
SHA1 9bb7feb5334618da85ef679e842519d2e7491645
SHA256 961dd4630db308e94796c1e36a4fd86a2fd2024411e051a71ba36172b4de3d04
SHA512 05769bcfab1d41b1bbcd1760e8b0fd789e2be84616b1086ad8de6caf1d535d6f39e015dbaad6e6b4859f24d0ed4fb182d6a937cafaa38ceeb511ac7eb996b9f0

C:\Users\Admin\AppData\Local\Temp\AUcU.exe

MD5 78a5ad4c746be4421e2b56553e5343ab
SHA1 035442d32aa3e36cbea027a65bfe42eaaa5ba2b6
SHA256 00bb08d61a18283dc45a03a43f7e305afdc14224117acf3b34be013edbd44505
SHA512 baa54d35a8e672b73e6bce34e91c6c70c98d2c40cd4492d51ecc70a5a055a9dd10703d1f254e9abba27571680542fe829c325023478be4744d00cb210f692514

C:\Users\Admin\AppData\Local\Temp\EYog.exe

MD5 bed8ab965597f62e4d337540e543070e
SHA1 e64b006069f14f5013631234eb73ddebbe3e40ff
SHA256 8a9a8f76447e85b3494a33cc3b5ac21ecb1b0467e98243078664f28491f87eee
SHA512 5ebdafd35ae37a33ea5e5ea27427ce8eb324ed48e40512449905162f07599d4a608096021f2e98105f100faf4c678781b63713fe39b9eace5923dc6689789040

C:\Users\Admin\AppData\Local\Temp\Wgom.exe

MD5 9c0382c002e0c40b269b5004ba8dcc43
SHA1 b5701ce25191927bbdc4eeec03c0b08179ba3cfe
SHA256 be57df95896d00e390adc319152a0d49a5c915384e13c2dc85af55f7b28a2684
SHA512 5456a58439f7d49bef9c44b2f03d06717801ac0c97aa051ff502ba060b94280f6d5e2af70c1ff0a1e120a2c3a47df70e624d9293f41c6cf07178ba53956c7530

C:\Users\Admin\AppData\Local\Temp\awUs.exe

MD5 c64974713cc132c28455d4ce292aa72f
SHA1 517b7940b92926a8eaff1bd5265a96f4a32eebe4
SHA256 d62fa81f4eb016c714d3802ff11eb1334f45109efa01f0a8775d9d8288e170b8
SHA512 8339e8ad9d9a9a4b2d4b94187657e24e9b4a3ea4c7e43104403d4b30d0d0cce1eae296b83bdaed1cc082df41f51eb8bc7046afbc6a407737c76e6f768a0fe624

C:\Users\Admin\AppData\Local\Temp\QAoC.exe

MD5 33ce296678a987879048e101a5904abd
SHA1 90ad9a078868a27baceb0069a59f4f9e81993fea
SHA256 b1af0724e4e7483dcb34e21699e9b735f5337d8d3bed856a2f687f5d2d756586
SHA512 d2a91f77838692b17dda280e5190d16ae84db04f89b574fca7f95afde35935f7a0199135701f389f15d3d25e0ddcc49e3223d60b2b7bf2ae6c606533f76013d2

C:\Users\Admin\AppData\Local\Temp\OwMm.exe

MD5 1ae0ba4c5a9e601b6bbc9876fbcc98f9
SHA1 70c3287eebeb8479173c4019873aadbfd3109f72
SHA256 d793d1d7717ae62c35e8b5bda171057b7896d9e60842024a4eb09303638f4301
SHA512 924982e7513821ec2c3de74366bc82fbfaf3c953f1cb465fe4ebc9112fc431e04cff82dd1896f451c20bbd6117123039e11ac4974f4bf6eb58c25076155dc4f8

C:\Users\Admin\AppData\Local\Temp\ugwc.exe

MD5 955bb28eb51260286d9764c60c62e95b
SHA1 8c851d4e25e5d76ab089d3dfc9ca90a90a9c522b
SHA256 1849e205478e373cffd48e599a3345b14424bc2c07e0b37171e34a9ce0dcf63d
SHA512 af8a0873805d657ceb629b1178542121207b3e98b66db787b2c91a78aa31a0682671c0c00d8c2e021cf18bf4e436855bd4a533047cc3ef9fe0486f315c2de314

C:\Users\Admin\AppData\Local\Temp\ewAi.exe

MD5 e1b802be88e7d3ff696c314b6920f7f3
SHA1 64ccbacfe995a848d3311e87d6459ecb58f76d46
SHA256 909833594a127c800edaa7d4010808d71d324a64becd0afebc03e3df57dbf19b
SHA512 0100cde9618d97b6e637c27d0f1737cefa3c1e580f0aa95e8ab987cbd5ce47514c2bfd3bf83e46187ff7c08780c6caaba9dbedc151844e0e5306f4102d40e3be

C:\Users\Admin\AppData\Local\Temp\EsQK.exe

MD5 846a63c993d5deeec01111c9bd20bde8
SHA1 5533aa42576e92f33a7b5856066a849b95adbcc5
SHA256 453edc26b94849d6aca2806fea0854eb21b535af40966cc60dbb7cb8405d0a39
SHA512 3e66b5cf87595a41dbd6714b495b4337a57961a96cdbcd08861a3db06d57d2c0c823e187b008ca78a794a687fd8d112f4ec1957ef5306213e3dcf339cbad1a50

C:\Users\Admin\AppData\Local\Temp\CkIa.exe

MD5 90f02c6ea17d7d31bc95fd2a529767c3
SHA1 b9301cae30ac47ae225dff6d56c9e470ea378e1d
SHA256 fe9f299cb368e75ea1adf2a5e1d60efd422a2b02bdb3fd2937140889c4b141cd
SHA512 295a6e76f0a591662ca5c9f1d036b9da4e1fccfd170fe6eda44ab32d767fa054b48648b7762b23aaff48f1ab6d793f3e147f8b024a73e04572ae3064a4bab951

C:\Users\Admin\AppData\Local\Temp\OckE.exe

MD5 7c9a31b3663f8ee93fdfaac4b8778e7c
SHA1 729dc3e065e2f07a6910c727b5c66293ee7cd82c
SHA256 b26d6a6a5aefb8086976473ea07cd1923f105bc4c5c0af54eb9f6aa734bf7255
SHA512 974281908c0896064eb4bfc018a7f9c5baba3dc37af1dca09a206335efc02784532d57817aeabbe372741ac1cec9b1ae041e39eca8c7bf6ef48ea7d610b193b1

C:\Users\Admin\AppData\Local\Temp\qgos.exe

MD5 f06f3ca4b26304adc43b4cacf71770f2
SHA1 c88337ea9dfc3dcd1ed4613e84521c6319c806a4
SHA256 8789dc3669b87a8ca87cc3c59ac1d6f1b46d468a969de1cdd4a38dda5fcbd4c2
SHA512 eed1d57428634767f8e23b98a9b31ffec2d2917ba7b34ef93402a8982b4d252e159dccc0f446022620ce852af124197ed299754155479e023d95ee47da738849

C:\Users\Admin\AppData\Local\Temp\ikwe.exe

MD5 3d4a1bdf7b8949222ad92caef5ae3839
SHA1 83dea5f497d85fc633e57ac4fe18f4eaf8c34c4d
SHA256 d0ae5e5daa157af163bab2de74c7f8abda12b971e6aa06ec5913939306b01af3
SHA512 2ee294d54ef8d5c01683ead3fd052909f4be27a1f489ab6d0fde1d70f6958a85bfeaa05d39e53becb4d84f5389209797cdb9cb86223148ab4ba0a5d5a83c03c1

C:\Users\Admin\AppData\Local\Temp\acIO.exe

MD5 0eed9b22447200794f534c2e0a88cbb5
SHA1 d92b44b1db98e55419f56e389ac54cefd0eb54b1
SHA256 fdccbe5df856d849490d29f6543047f7f7f664b2be56ead08c3d5129a9d99650
SHA512 9f2bd964c2b348b2f734f9dad748a3c54df043395708b553b685480966b970579a0db89bb3464560b5d8de625447b1ddc6c6c22ca3105902d074f51499b0b647

C:\Users\Admin\AppData\Local\Temp\MUsC.exe

MD5 540326794fecaf01c5b8f6a5a76d095c
SHA1 6545ea8744d44a39dc4acc1003dda9e1b5718997
SHA256 1987d962c275fd578f1d84ec05d05ffe44b11c330a1419ec1aff4c33da0ca1fd
SHA512 6c840c34a36889607d4d998dbcd06d4807c531d96c21677d5687de913986a1345f7eaf49fc75d43b6126309aa267c8ae9937b3740afe84000bb3fe75c85285b1

C:\Users\Admin\AppData\Local\Temp\sYEs.exe

MD5 2fa79f884175f9ec73a4cd57e47fecae
SHA1 063c0f713d8b000178d76284368472a0fcaf7dd3
SHA256 31c415303ed2448b348b5a06f47df168bb0d179d45e50c3172d25a2966f710db
SHA512 ac0869137ffe0b0954ce3c5e5692b59ff6f92c75b2146e8785842333d68e9a638a78f1df07fdbf7448f342e7324c8374d7576cad86ea83a1c7d6e1889f177e1a

C:\Users\Admin\AppData\Local\Temp\sIQw.exe

MD5 b1be7eabb3e1a8f812d4bbf64a88d591
SHA1 eccfb42230844eb5044041446cfc440cf4fc4abe
SHA256 6f444bbf5477e3582f1d2eece2635ed691f214f25bc1b4355a6d6b2a9445c40b
SHA512 722faf194e8705c1e946b8c3a2f4f1bd9a5e3f2f7c53a814339697ba5c8ddf964b847b5e3b72fe37b31769098ea2ce768eaebd4ea531a3f988e46efd4a2f6a89

C:\Users\Admin\AppData\Local\Temp\MAEW.exe

MD5 c233e28c8775e6967874fa26f46ea67a
SHA1 71a40a22d692a6fc100051537aad90e3719d5680
SHA256 7131bc66d8c5ad9cdfa2755a3a1a4b35082a68563bcae456cf4b557b2b402298
SHA512 1696b1705fbeb98b0ed0aa5f51daef767acb41eb0ab35ff2cb35aff2c52ec4501446bd3e93c292ab3fbfe2ddc12c0713e0b1b0fd0c09f408111bace2d913a0b8

C:\Users\Admin\AppData\Local\Temp\ewIK.exe

MD5 e615253a1d60d057a93795f6e9676c80
SHA1 a809e7a2e927e91731a4aa75d02baf78540af861
SHA256 c2aec5c1a958dfcdaca4216de53f2244454fc0d575d955c5a2325d9b95df65a5
SHA512 32cf39a823f2d9a2f491855f8ea19a5e0edd8f6491a5d3116b6859fd4db2c75a712005d1a82f528a032770b7530c101897e608a4e8fe7c26ef97f76465ef7c6f

C:\Users\Admin\AppData\Local\Temp\GEAM.exe

MD5 0c64382455df935478312847e7ab7581
SHA1 69b06de35805a85d02010822efced7d5946d5fe4
SHA256 816117979a3bbc3432f34c4c13d454f2b7a3377a47aea4451a9f6da5804daa94
SHA512 01977e4193282489b194cd306fbb4cefe1b978abe2f36b7ab30890741be0d8419d687ff135412c7218540fae8c045f1546f6010ba4cce47822f06de64d55aeb4

C:\Users\Admin\AppData\Local\Temp\kUEq.exe

MD5 6d74dfd11ca664dc991f61d923f477b7
SHA1 cf046c91f11a827c1ae891fb3d48cc44e1fffd6a
SHA256 c4c8ee2ca07ecb1109f50dfda553c00e35c8d0089463a17885d24ee96b9dc11a
SHA512 5031ae92d19832203429da07b73286cab00b1764afd96c29bafb0bc815a58819a8696415cdfa0c6f7c8ad0ec03af4f2cbf93b551c991e5224ac0e175fddf4af3

memory/4932-631-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SgMQ.exe

MD5 9c08ebb5394a35b7d230cfdc46f071b4
SHA1 5fdc6a282e6a1c6829a7eeb73a49379b53507365
SHA256 7a1b052c902f88d37544fdf6d3672274d76d40b17e20fc720c6242ed8cc9282c
SHA512 7e13106a67d5494ee29722ed4759af59bb04aa8e4f535c511bc5e401a84eaeb165455ce4a3466e25dffa180912e539265a8d187711ffe3b9c4bfef6c21dd4b98

C:\Users\Admin\AppData\Local\Temp\oMkC.exe

MD5 090553d9546beb45da660e39dc545008
SHA1 b2f256874050ed91f9a04b2ee06dcc47bc42e925
SHA256 c1f1be01908e248ae81ca7e34fde379ff92f074589aff48de005412d52204f5a
SHA512 5760bc54bd0573b3acfab30d4fb58e5f1894bff3f591f565cd3ef93dab6b83bf813593b69b995c382ee8b26e4cd82ea0fdd1ee0acc697f588c622988835af00d

C:\Users\Admin\AppData\Local\Temp\wQMc.exe

MD5 2cb2e58b8ae05b7da0f3782f5a18b793
SHA1 90163a894f1f1cd40c81fb2d8b4902815d1761c3
SHA256 f0c4bc1da8054d544c122c705b9c926b01040ceb451653afd1127a09e5983a8b
SHA512 256ce6d557fc04355577c83a45af346d49178c37d0c4a06b296c17fd26d88ebd11051a34b827a3b8c732841bedafb7eefc3865e4a73e9d99b843f2cdcfa7a44e

C:\Users\Admin\AppData\Local\Temp\Aoog.exe

MD5 e37e6e6e4a0b6b77b4d364a960ad58ab
SHA1 2039e3b71ba12c05194cc2f665ed3be8d4ac6db4
SHA256 577157701f620bc629f42c316caffca3a486a804f381bf6f06fb5315fcffe7d4
SHA512 b0b24421cbae7a42a8052d3eca5f83718ffb143ade3bbcab1986ebde2cd28a7aed247fcbcc087344bc73efd2604650e4342f658690f64a726f72ceb9c1ed78ba

C:\Users\Admin\AppData\Local\Temp\GIkK.exe

MD5 1057f10b8e411b1efb4f146e6f0decad
SHA1 9e8789f7d717156d97d0f54075b7f56d732674ce
SHA256 e12da7e751034f459bdad3b8f73247157855d91ee60be14c925883ee29574501
SHA512 0a211614e01dd8d7755f6852745645c89475c17d840cb75ece6466aa6f170a7dab8f00595d22c1c498545475b38c379ca966ee29bdb52bdf64dc918cb7391836

C:\Users\Admin\AppData\Local\Temp\sQoq.exe

MD5 f710d1dc857b0855eb5532f304acc679
SHA1 fa52f0f6dca2facfb009ac3b4025c0484e145086
SHA256 44c85ee2721a319bbdc38d12f99f8f2b2f6ef0c88e131e2080eb383bcf8cdb5a
SHA512 6d654385df9fc701193fc8ca71f815e425a271e8043a8a495c62af09b5e0db1e69d4cf3f3b452f82be7fac7be7e1c070508364f56f7feb112a65fafa4dbc7c88

C:\Users\Admin\AppData\Local\Temp\MkUM.exe

MD5 11a41357a79f149335fff4d389fc67cc
SHA1 ad51260d75a06a5603e6c5af8ba81a40123543d7
SHA256 1762be2f2b5f144a170cdf22cf5452272894268596d02d85fd4ff7153993c488
SHA512 56f60b8cf138802e7b1b607744c59cdc2f6727c57c019b8678b40140febd8e668d72bf687fb141d95bd84660226d8ddde936a4e92e6a89faf77dd6c50916e27e

C:\Users\Admin\AppData\Local\Temp\AEkg.exe

MD5 3bbd46a6c361a5416fbccd6f5a0ad390
SHA1 a7779df300481c0c6231eafd0aec38778705e342
SHA256 595ced7f0e4f55ab00aed288ae86c5dd0f820f55c05adfd4887e8a0ea47fce22
SHA512 7a9195ed78701b2a6c2bba2edf7813950110f5e7f7709f7fde826b47186f2f986e97fc32a100fc6b4629bf4ccff928d9ab919b2474f2136e9e167e9ed7913fc7

C:\Users\Admin\AppData\Local\Temp\Kgsg.exe

MD5 d157bdef3d3f9af1fdcb6d482034b24c
SHA1 a19af7d73ec6adc9e5c6d51375e6248c18d254b3
SHA256 8acddfbfc38c20cc150c365cf4119af33c8b13cb6467bcc8fdce4e852864e513
SHA512 8ebb314ae5b4a5aafcb2071c7330308353c931f97ddc0908a6fe390049d222e41e08a2e6a04e31ab1b5ab358d7ecf274f38d2606aba5e53d3046712a1f404ea5

C:\Users\Admin\AppData\Local\Temp\mgQU.exe

MD5 3368293eb074b6480791773dd54aea03
SHA1 758a45b7902360402ea1322fd32f73b8bf7bb5f8
SHA256 065baadc37f4e2933db2a7e7eeaacd47522d9a14eb89ab73ac70521590ae688b
SHA512 6b3b543c85fcc7b4689bf07534071ba61250b17fe7642b56a755a8521bf8f30a197e3636bcda5ea15dad95af7e3e7293fc0df6a42fdf151199428b969f8fdabc

memory/5124-812-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SoYq.exe

MD5 159211e1ee2a55b7bea14de0c2ea7a78
SHA1 3dfc0ce8dab8cd28894c02a80d0ad1e76543b019
SHA256 bd944ee073363296ad06d7fc414df796a7729baa07bbe62f306a958fb97e895d
SHA512 f515066311570c22fc7a5dfb7c5c4191b2b1d64bc872a7b902172f6fd1d15126445369e1d8d930274654153bd1f7bd2bb9b766e044d37fbff66894f717d630fe

C:\Users\Admin\AppData\Local\Temp\qUYM.exe

MD5 bbb3a22be7e5baeda550d4d060405701
SHA1 3b9580a14d1298c0d9a6afef54ef1a0de9d6391f
SHA256 489ffec8f8fcb3c9484450d249ccdf12b3a5263914e75c800628bbb2f60bc169
SHA512 a52967eaffea7f98d57d80599d3c86cb19fbcbbeee5f33b01f373c70c119d7f581fade1e939f8a52e493cf7375e931623a551b5ca438c6e53516ef5dba0d3c8a

C:\Users\Admin\AppData\Local\Temp\ucUc.exe

MD5 7147eeb0c30584ac0efe2061b6ef3fc4
SHA1 d4473d92d1f78a8dd789a6050461960aa5e800cd
SHA256 b3188f7a5b15e626565157195a3a2c56d81f915474a7b81a66b5708dc8b873b8
SHA512 d92ff6f4cbd5d96c3ee803c4839d1dd8b79781dcd38493ca6c72346d253f1194377a9d150c5831549dc2ca972f887a8a5cc061fb03cb5db31d29214fcdffac66

C:\Users\Admin\AppData\Local\Temp\QIsI.exe

MD5 168ae5042304aefcd67e6d1563a094d7
SHA1 c7773b797ff1580199de90a9b23058f34615475f
SHA256 86fb96af6aa64b5d4df64c7b85deba0b899e3a5e39f6c7b6e49a76f0f02a9b87
SHA512 21d04018c61db62c82fbbf3dadddf004bb62b07fca2f455511f04681317bdbabf2013f55bc5b1096c2e5f023496db76e355afeee09bdcfc92b961fb631801feb

C:\Users\Admin\AppData\Local\Temp\qIcq.exe

MD5 7d6f6030d2760d07d5b430b0a0ae858d
SHA1 dec821c82b6c3245d49bad676d55b7b2be5661fe
SHA256 13b218809554047e567336e4c87fd031778fb8df3b83ada65f95140910710db0
SHA512 b2c2b4d0e14668b04fe9e9e938118b1f1ff2a4ceec8ad0795cd98c099357e0442b88d2db937c4e04fa296677ca070970bb6e1021752b9ab97dffc1a7a55715f1

C:\Users\Admin\AppData\Local\Temp\QMoo.exe

MD5 f63799912314a472b92a29eac8daf110
SHA1 c3bb5dd22d331e9174c05a9d38dcd4ed056874f0
SHA256 1acf05c7f72bcbeb07b8d52a5c279889d6a1dea5c1e96d9870bbbc78330fe61b
SHA512 5e6ed9ea1f4f0068ba1d45272fac49d2a8aec3fbec1efdab487fa6f037bc56b35a8b447fb29d70efa00be6739fe9f1490272177ab49c9cb72c10a87632b36df0

C:\Users\Admin\AppData\Local\Temp\UEsG.exe

MD5 5bcbeb341dd254fc42bfca2a6efbc366
SHA1 5f3e2315c20fd5cf73f678338419064eec0483f2
SHA256 57de82e5b77c6886d401224577019b99624d10419eebe2e97ccf9afdcd8491cd
SHA512 b7d9531f0fed730853a9d59a82fdae748cb53d1003edd01894e477d1023ff40a517eba5066edbfdfac7dabb9cf1bfc801cda83f15a90a714c965832c99f571f4

C:\Users\Admin\AppData\Local\Temp\YYku.exe

MD5 b39b9c95308fb6b534b4afab1c2645fe
SHA1 d783e1409d061f1b589ef522e0c80a7ff552083f
SHA256 631e13364f7e8c7b71ce947e9a2f06be9070f83643e21537ce007d5521c3af30
SHA512 2ae4855e336b47d3a76e51b387db8e6b1296f09f9b056d498156ca715a2496a721c192965d2410f5d6f9498f4c7a9e103c2c2670f35be690bc6e5f4547a00538

C:\Users\Admin\AppData\Local\Temp\WAUo.exe

MD5 2686df97b09617ed632d821ceab5528d
SHA1 9ef18c3232fa8b01e56906d19495a4e8b48c0655
SHA256 515f15dbd96c172525087d0d2f28b3fdd2694ae81cf27dd31282420bd97c31e8
SHA512 8ddf029378443ec69c7eb8187a9304a7fe37734afbd885ed43e518a31b25d921224cd3ad80ee1e3acbce9692d8a1da74ff920a3fb50a3620abd34f27d6f0ab50

memory/4756-989-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\soUQ.exe

MD5 9b81a9ef156f836070558c1994d6713a
SHA1 91836f3fe452ac973f393443407554d509901041
SHA256 9048d1316af80cb2cc462e279dbe0318bc408beb60a46705ce158d9aa0836d9d
SHA512 8709f03efdf69943933f112fc7e13464583c72888a6b1ffe8410e1817ef3e77fe0406e43fe554a732b791bb837d6febcb6f17d78bdda5ba1125c12d492bb639a

C:\Users\Admin\AppData\Local\Temp\MUQu.exe

MD5 3c155fcc8b7b69cc7573d7d21b48cd41
SHA1 6a8a67bc3a3870048751238f90f75274457fcde6
SHA256 ae2e425729e2418be1ddad256af377fb9edee50aaa4736b56ba17428e3fc7564
SHA512 e73646baa97d608428a6824588407c3e43b3ab4473f2839dca96ce88535d0152a9f7b1a78ffc4654a55f170af9ca20c66dc567ff48c6e0a803cc59137d757313

C:\Users\Admin\AppData\Local\Temp\cEkw.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\usoE.exe

MD5 7f90191244e96243795f8026bdc47528
SHA1 fc7e89fd5c5fb16342b6fda847b50f1d85214c4b
SHA256 211e9099447affff05c00d5edb2eb0e2998a2895d4065595f067316a2f4bf921
SHA512 51397c47d235cd44a3810324fdd8d7c41d97d7c35d37668a165544a844cc2e9aed25032c21ea8b3f966ec90dbfc3ef02588f0077c7e74d881e2ed8eac8372012

C:\Users\Admin\AppData\Local\Temp\cIAk.exe

MD5 4da5f854277d9846125f202083a6fe2b
SHA1 246f715aaae4e81af43c64768ec0bf3311f11236
SHA256 24d5d3de3692b6134eb1ed3421b4e945ed4b38e0b9d1ff7e6fe3b4dea487d911
SHA512 42ced860f5d1ac93f74901b00e3feee2fc4ffe0e99aabf5c72a46f181c57fd9da7e54f1a72a433f8322eccf6f65bce932c0783842bc50f4cafb130e2dde30365

C:\Users\Admin\AppData\Local\Temp\ooUG.exe

MD5 f6ca1f7815812f6073c083bc399ad506
SHA1 2d52257c411f339c029a14ca2b5d81240a02180a
SHA256 7061b7df9a29876704440c51e4eb9db8575c75d54b818b60a383b2cbac8d7fb2
SHA512 9f9eb2793558459f4e1a28fdfee7920d551560692e6dd021094716fca9cefb9966cad6af4dc1b2983f3f4929791f74656bcfb08ea829f1e000b7caa40da57b20

C:\Users\Admin\AppData\Local\Temp\IEcI.exe

MD5 22f3ea04912b8878127ce14080ff22a4
SHA1 53c2517492e4a5fa62470938f7a105d4458b491f
SHA256 4b8027a508afe0c29991ae4d2966e85ffe75bab013b85cfd376eee97e2b18606
SHA512 b15fb90d7cce53392a15f376372298d19a29bd23f05a53e9be514e7ed7e63b5018c6114b871c957df3be74e09aa39fd03f1ca146abaf77dd95fabc90d27b7663

C:\Users\Admin\AppData\Local\Temp\goci.exe

MD5 a1d1d14000efb3571b2b5b975d5a8a52
SHA1 ba560850571f6d8a5ae0957d3ce2aee9d1b241cc
SHA256 ff437bb75b67e1f80085a32706a8c68ed2546552bac5c434b9166594b5b2c19a
SHA512 abc22bb9b483cc59e5f5cecf0367eaabd2fd675984b0f6d9f530cee652c76e1f871d0e25eba1f20a4a2c48664290dba5c5a6e111c5c0d9b9df4da26eebfb7155

C:\Users\Admin\AppData\Local\Temp\UwIE.exe

MD5 12b938a65cde2062b9a7d711ddaabd86
SHA1 c289564bf881e1ea652b8626923e42bc94b86370
SHA256 9bb6129dbd78c4d17358645fd74763a537a5410771342cd472362c1b0f3073d6
SHA512 aca5aedfada96edc04389a7e2857f937c2e9bba228e06182ef0aa724561d814ad9ad4f4e9144256640e96f8b49e6903a7c87f2d010fd5d51686dd4d45e0cb24d

C:\Users\Admin\AppData\Local\Temp\kwIe.exe

MD5 add2d596756624754a3435428837e613
SHA1 b9fce3fd985c9e2e45c0a5a4de5708fb8f4a8089
SHA256 de5ee0315b3e327f6ed02aea00f259a7b8bb82670298c301c70b2a66c4642f3c
SHA512 61477fb4a6226a8bbbb35a13d9a81d227d92007c50f064717ed3be46bbc51c82aae0f4aff038ca8e45f742664742d3e0d3880930b1e3a39d982b5d3b90fc3f86

C:\Users\Admin\AppData\Local\Temp\aYow.exe

MD5 ffad63cf9f01a796600606e17cb27d00
SHA1 9c0f39374f5c6bf63220c742550b70ff6cc79d53
SHA256 69534b68233b556bf08256ffaffc436e0e41118cbb976dc55ce29c00e25029e4
SHA512 fb56ca43a73ed3307d881ea9ac2e0be71203e7e131d58d93b7de74f7d44e2f668845c392c603e9618c736909bfc4e09d17fcbe66a1000071eb4fa9c27bc925e3

C:\Users\Admin\AppData\Local\Temp\kssi.exe

MD5 9d05717c1d015168537f1ce4b2a73223
SHA1 7d9f9be14774afa9199fc8d05f7d15580cc0bf3d
SHA256 02e87f708160edc7b8c96edc0716c7ba75ee1c1af939193ea97ffe4461ac6a48
SHA512 4b76f2e2a70c79c676a2911573f6cc328e85cecfec0565b7d91741e521c6b25675f914475e163716f3ca4a89b64047ffadfaa6c3bdf660c132a6b78c3c9e12f2

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

MD5 ee81fb914f0cfe46be77fe93cee88cb6
SHA1 78eb805f5ff25b9f9c640a65200197364cc28a9a
SHA256 bfbf07fd3d6121421cd97fa790b921fbef53a9d8a9b0bb4e6b7be5fd9e731d68
SHA512 69a08fa531d4b16ee0899b30577e1af772bd0d81baa3d3cababa58440c7fc63be24f65b28e4c67be5769bf329f5f202e36796c22b4129130d07ad977b222ef0b

memory/4720-1129-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5200-1137-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4932-1145-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2224-1154-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3856-1155-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/5880-1163-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1608-1171-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2224-1180-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/788-1188-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4736-1191-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1116-1192-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3344-1193-0x0000000000400000-0x00000000004BB000-memory.dmp