Malware Analysis Report

2025-08-10 20:50

Sample ID 250502-hv5kxsywg1
Target 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock
SHA256 982b7174957c0375d66d2ba68c5698bf0852110def13aa2889a6caa68563e55a
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

982b7174957c0375d66d2ba68c5698bf0852110def13aa2889a6caa68563e55a

Threat Level: Known bad

The file 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (95) files with added filename extension

Renames multiple (81) files with added filename extension

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-02 07:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-02 07:04

Reported

2025-05-02 07:06

Platform

win11-20250410-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (81) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe N/A
N/A N/A C:\ProgramData\wQUogYMc\YIkQQMgc.exe N/A
N/A N/A C:\ProgramData\wQUogYMc\YIkQQMgc.exe N/A
N/A N/A C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUkwwkgY.exe = "C:\\Users\\Admin\\UQkUIgkQ\\SUkwwkgY.exe" C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUkwwkgY.exe = "C:\\Users\\Admin\\UQkUIgkQ\\SUkwwkgY.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YIkQQMgc.exe = "C:\\ProgramData\\wQUogYMc\\YIkQQMgc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SUkwwkgY.exe = "C:\\Users\\Admin\\UQkUIgkQ\\SUkwwkgY.exe" C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YIkQQMgc.exe = "C:\\ProgramData\\wQUogYMc\\YIkQQMgc.exe" C:\ProgramData\wQUogYMc\YIkQQMgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YIkQQMgc.exe = "C:\\ProgramData\\wQUogYMc\\YIkQQMgc.exe" C:\ProgramData\wQUogYMc\YIkQQMgc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\wQUogYMc\YIkQQMgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe
PID 4860 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe
PID 4860 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe
PID 4860 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\wQUogYMc\YIkQQMgc.exe
PID 4860 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\wQUogYMc\YIkQQMgc.exe
PID 4860 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\wQUogYMc\YIkQQMgc.exe
PID 4860 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4860 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 3036 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 3036 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 4984 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4984 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4984 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3524 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\ProgramData\wQUogYMc\YIkQQMgc.exe
PID 3524 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\ProgramData\wQUogYMc\YIkQQMgc.exe
PID 3524 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\ProgramData\wQUogYMc\YIkQQMgc.exe
PID 3620 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe
PID 3620 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe
PID 3620 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe
PID 5096 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 2364 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 2364 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 5096 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5096 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3724 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3724 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3724 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4004 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 3188 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 3188 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 4004 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4004 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4004 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4004 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"

C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe

"C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe

C:\ProgramData\wQUogYMc\YIkQQMgc.exe

"C:\ProgramData\wQUogYMc\YIkQQMgc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\wQUogYMc\YIkQQMgc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bogowIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\ProgramData\wQUogYMc\YIkQQMgc.exe

C:\ProgramData\wQUogYMc\YIkQQMgc.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe

C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQMAAoQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySEMAwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkosgkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKUgYUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcwMQYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAQUQwYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqQwYQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqIMMUMU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsIQcMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucoIckUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giMUsAkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuwUAogY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOIcoccA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAwQoYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWQEcEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESYUoAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqMUIUog.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIYoIkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSwEswIk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcYYgAwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwowUIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWIAcQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqQgQYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyEkAYos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkEMgEsw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWoAUMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUkcIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaswoAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGYAUAoU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWwcQkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIIkgQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psogYswM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgkQAwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMwIgkAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tosQcEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwQgAsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqkcAowg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGYUMIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkwIYYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGMssQMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEMkAMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEMQAsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKYAIkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyMwUccc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMMEsoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQowkYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaUkAMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEkMQYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYoMMcko.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOIgkYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGgosoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSEQcMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUMssUso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWgQgkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaAskAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQwggAoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGAkIIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwUwQkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igogoskg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysAkYIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MggEgkUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqkIscMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaQQcIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqYwYMgY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIUsoMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksYAQAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgwoYEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKUEcUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIsYMooA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUkUYoEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jekQYYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUMAsIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYMggAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwQoMAow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMAkIEUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYIIwAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAAcQgUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doIMIUIw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQckYQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyIgUMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUAscEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIEgYQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miMMwsoU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcYIgQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEUIQEco.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAIMMoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laogswAs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PccUgogo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WekgEcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUAsQUQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQkkkcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMMokEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncAUIkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMYEkcgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsowIssg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqkUQgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgEMwQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aacAggkA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmgkcUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgYcIkII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pygEAIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkUwUsAE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyAIooos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsMIgsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYokEsIg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAogwkMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oswMIUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWIUkoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaIgEEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWQUAMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsMoQEQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWYoEwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQgUwwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAIsUMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeEscYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQMYQsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqUooEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuAooYUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XikIocAE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKwoYwcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKMggEsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmYMwoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BowIAgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgAsMQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwAYwQME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQYYUckU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQEwIEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaoEgYUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIMcAscw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewkgAIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaMskswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcIcgcwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKgsIIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMQUgwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
DE 142.250.185.174:80 google.com tcp
DE 142.250.185.174:80 google.com tcp
BO 200.87.164.69:9999 tcp
DE 142.250.185.174:80 google.com tcp
BO 200.87.164.69:9999 tcp
DE 142.250.185.174:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/4860-0-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\UQkUIgkQ\SUkwwkgY.exe

MD5 df498916c57445bca302f0a095199d2b
SHA1 8fbfd84862f5702370e997f6fca549fad8cefe18
SHA256 2e58c0d4fe674078acea1c112daa345be8486f35669c973765cf7b9188efc6e1
SHA512 4dc7836baf7c539837ef4cb31c5c1440418df5d13472a27a43e51c7c0aa6c734962a01d069a7d776bcfabd466b77e1304a47fc28bdf95999f1facda66dfecd75

memory/2692-5-0x0000000000400000-0x0000000000431000-memory.dmp

C:\ProgramData\wQUogYMc\YIkQQMgc.exe

MD5 e3fe7d0fc5805d41a262288fd917be41
SHA1 d91db975ed4b93be0da4ad5c7dc7d6d4e7eff756
SHA256 540d6841ca22a829fadc1592e338fee216c7207f0d0708189ad0bd0a6a3e2eaf
SHA512 e986dd071d5c64e32df79318a52a51230b9b072c0bc84d5f64d973e42c8be8a9b1f5ad0795314cffd9ad42f19a3a166d1b740c942b60dad49cc828fc4143c04e

memory/4920-14-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4860-19-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bogowIUk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/4360-26-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

MD5 908fa2dfb385771ecf5f8b2b3e7bff16
SHA1 1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58
SHA256 60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d
SHA512 573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

memory/5096-35-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 a091923ec728b28b9924f7329dadf990
SHA1 4e46d176c8da409476da53abef844b8358b41131
SHA256 1623694bc7c29f62b3fa60d0204290e9a39e84145348421ce29a3368e9609c9b
SHA512 66edf0969387e1e728f85aac47610fbe8383627e56c2811c6439750c4a4f6e90df1f0ca3f72b641da6c9ba3c3b953e682cf207d36060fc2e2246d33783e6cbe3

memory/4004-50-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3424-61-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4044-69-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/232-73-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4044-88-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 e7ad8fa846d84b7057b4617bccad55d5
SHA1 f7b13e6eaea464e4ad89289f22d89556970f71fb
SHA256 b62f2575351918c81d4aca47e3c2a3a5647a3e5c175beb2b49cc72649021a7a0
SHA512 be39b1915078e31bcf4224348b4c9eedf3eda3502116088c5273f6318142052b63b1c34d59ce239f940febad0db0fc3bb2e7074bbb0d59c459461a298d05d3be

memory/2848-103-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/664-114-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5004-125-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 d158b49279e4f55c8c8a4d0999b6d65c
SHA1 7c06bf9b3b46f38fdad1a3ac4deca9b241388088
SHA256 fb558eff4988695c70e2b08d7c8f8835f979c3298928caca3bef11ef9eb53238
SHA512 b14a3e81f715a80dcc7322cddb5a40b48b775198455abf9d498e784e2d86d849e746493965f8e9f80ad7960213b37f2c50d4f282c6300110123521d81054da48

memory/2192-142-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3472-155-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3424-166-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1140-181-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 95652971572b358fc92b47a4524450e1
SHA1 d56a13b53ea0f744bf5ed05d90ec0a0b5c2f3fcb
SHA256 a0607236ce0f143110dbde6d6abf22d18933db27ceac148671117efe6204ef86
SHA512 8b9df1f70524c667fb6c031023a484675975857f90105e8063299168e17ea9e4c435fea16301d7556cedd72b14c562d3e8dbe84a6a739e2953383cb1a7cb83f5

memory/3896-196-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5752-207-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2472-219-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4992-220-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4992-230-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2028-238-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4984-248-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3972-250-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3972-259-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2128-261-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2128-268-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1376-270-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1376-279-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3796-289-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2840-297-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5020-307-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6056-317-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/644-325-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4776-334-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6132-343-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2052-344-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2052-354-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4740-362-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4752-372-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3676-380-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3476-390-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/392-395-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4616-399-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/392-409-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5856-417-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1140-427-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5784-435-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4740-444-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/228-453-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2496-463-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4572-464-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4572-472-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4980-482-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/532-490-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2624-500-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6132-508-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4784-516-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4740-526-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3012-536-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2496-544-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4572-554-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2068-563-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/796-572-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1152-580-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/824-591-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5008-600-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4656-608-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2484-618-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4528-628-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5228-636-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5140-646-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1400-647-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5140-656-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2712-659-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2712-666-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4576-674-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1500-684-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2300-694-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1728-702-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2204-712-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1388-721-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2180-727-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5948-731-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2180-739-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4936-749-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/888-758-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1408-767-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4376-775-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aMQg.exe

MD5 44be9391004895e835b5d234bc97f616
SHA1 d46f5ae46e2ce041c7e52dceb63fe8cc1630a550
SHA256 fbfd88f90bffd4bc232b90494d0147f2cf19520902ce6c2fde6b3a9d118737f8
SHA512 e872adcd60592b54e019a483fe462c48611675f6ce3d84586ca7d0df9cf2e27b92447337481ece471c465f6be821f708776a46e9d8fa196eeafe89dc8b68781f

memory/4344-798-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2692-797-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1600-802-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kksS.exe

MD5 7434618a0ec6d8cc650a4bb0978a182a
SHA1 e01a7f63744fae6de40c4eddb016fedd8f068b87
SHA256 91766d4b4e82074ddf8c9f4e9f904fb195e543e6a69dcb5cd579dcf32d1422f8
SHA512 5baa5a96144cf368fa10ecd38c01ab0156a4886ae34f0fdddca0b4a1f4fb2c5977d3ef87d1669a90c6c4bb1e8d3b15e19a86d1df96b5b1056ef2b3adeedd764e

memory/996-828-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4920-822-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QkIc.exe

MD5 0b2955e3f6f0376b8b62b5a9d62fea32
SHA1 f5cf16f0796d0169dfbd5c2352f5d8452675a1da
SHA256 893b4ee74a542c95b0f866e27a962ba297611dac0379e1983626b4b50689cdf8
SHA512 0c0b5f43403437ea299d34ca1c5f7428e0808094fd9209175bd26b94b2ed5d72e91e379ae2a254845aa30b3134077fdf90cde954c9974f8cd01fe53965f4139d

C:\Users\Admin\AppData\Local\Temp\gkUk.ico

MD5 9af98ac11e0ef05c4c1b9f50e0764888
SHA1 0b15f3f188a4d2e6daec528802f291805fad3f58
SHA256 c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA512 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

C:\Users\Admin\AppData\Local\Temp\mUQe.exe

MD5 8ec47da073ea9d90662db4ec58a679be
SHA1 e7d1fa521b9143ba55748071f097fe9b8dd33076
SHA256 c9ed6eb89e20a36d970ca091e1fa39b17ea6842c5d84e4a39323b10d7a305fd5
SHA512 3bfb04ed5fa4054c34a116f299059d1eba1391ff0a5fe13cf924f45f01e1126407a3bf15fdffcd07ff804c92347a6eec54136fc9403be6d920648d45019d8cc6

C:\Users\Admin\AppData\Local\Temp\Kwog.exe

MD5 4f87f9ebbf6823ebe6b692d783296724
SHA1 0c725ef9a9df2b975c51aafc739270d3875f25c4
SHA256 96377232bcd6114228e41a569d21fe0334d0ea7e5049ed6690616e0f084557e1
SHA512 0f982a705abc491a1d4072619b839261c54d9be760ffadcff9649f2e9f39a8c66450c479a6fecb5a1e39d90d393535b001b421ee5e980852289ef30b9288bc6e

C:\Users\Admin\AppData\Local\Temp\ikQS.exe

MD5 4e14af68bbfd3ab47d96de513303644d
SHA1 5c29541316553cffe81e4bd37c76ca76ccc199d5
SHA256 07e46e41836d55144013ad02787bdcf82a48ab197102cc8f75b3f73e09a4b828
SHA512 f0e498c634236b158761f99879f328ea0d85b1d83e488ee2d1e3c3ba72c89712046c216d94312a4d955b5703a6d33b585dba8fa06afb5105a800e336ad19a6d9

C:\Users\Admin\AppData\Local\Temp\EIYQ.exe

MD5 1f912381fdb29cec13d2e015e356ba70
SHA1 d7f160c3455d5c0e489128650a712fcbb5704d8a
SHA256 232e3eb7f01240be4f0f8f6da36c1ca92c6e5725c51e06b4c68eb84a2a26100f
SHA512 cb416263027aaf158f290bf5a8f94295058440bd739120f3edb4e8916dfe84082d3f8f45c588ff7058b78325b61afe1cb87ee4f01e131331c77abcee2fb163f5

C:\Users\Admin\AppData\Local\Temp\scYW.exe

MD5 5776d771489e46cfaa8f98fc500a5c4e
SHA1 2bba20986369ece15201e06327270ab57b2ec41c
SHA256 39cee80a012a46ae434f0da307f438c13ad8cd10958e90ed85372bdf10288114
SHA512 5376d5ec519bc653fb6b0abfa95b019ddcabf512556fccaa29984f2b7b994d42bb3332d510846af9bee96376d9d13d8d7f82f62e94f29a96426d2c4a9e1a3c69

C:\Users\Admin\AppData\Local\Temp\iEYy.exe

MD5 a34c0db68bee0eb7b189d403574f7ad3
SHA1 644336cae6e8edbf200d7ba7c016a0aaddc4e8ce
SHA256 eb76ceb2e2e302ac4f8501c61ff6edd4239b6000c75e0214538297e911348b47
SHA512 fb324c4d6379dacc89f8646d1c6dfd437cb0e322fecdb97bb7a4e99df40e8f8e5626a09f82a44ac4f45cf5614ca10ef160f5e4d3ca63b36a7a1705b8de13b3a4

C:\Users\Admin\AppData\Local\Temp\MIYQ.exe

MD5 a211f399a481a57ccc0b57156ca8a6d1
SHA1 2379625a7c0ea59f6bc0a8ec6b2d47f78cc38007
SHA256 caf33490a62d714934a533f1b6863c3a5ced53486d8e062658d3988819094238
SHA512 c62e4ee8ab9f68d26078bb07b2c971f617e5f77b6eee502cff1c08c1aad2f4dab35ecdea84d4b77019656d11eb9ce59b53bf374f43446cc0655a734c4908bb90

C:\Users\Admin\AppData\Local\Temp\gQUY.exe

MD5 c01ddad6774794e71805ec58ab0ac504
SHA1 4009d35445cd8816b892314124b68262d4e26c19
SHA256 770c8d12c5ee4da5fc898234d93b15f3e7f9faac8e9d0be832a53f3bc9cfd489
SHA512 eefcda7fbaea0f7080595598634ea4d02457906d992f2ce1931d3fadf5501d679bc3f3cb827140e0119de101ae6d87e7158879ae93a2f9ffd0b7ce86bb39b677

C:\Users\Admin\AppData\Local\Temp\CwwC.exe

MD5 0d443673a762cf2461bef29e559e7774
SHA1 ef34268bb16ef6bbdbf5c5caf53316d2cdc3f337
SHA256 59ace885c59d3aef6a7a0fbb4755726aace821c04e4c0cb4a35b97f07ad9c1d7
SHA512 c2117e375234ebc8150142820b8a5e678e828bc72c1252b89691a0830e398a5ba6ec714f5add788b46592fa2457eda466accca01e9b829fbe66003da8bd32605

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 03fd026052ac7051f1700f6fc11bbfc1
SHA1 faa0a67adbe16e6a16d07777a6d41f1b98754347
SHA256 31143435b759f27ca9039e0853160b37a90920adea6a9f334b1f8adc5a307a2d
SHA512 5a4df1b8cab4336716bba508474a5911d03e9c4aae97ed658eda59affa836c0c751b5e5458f61afe0405486b17411fa70cd4a1b0e4e7552a565452e5bdd872d5

C:\Users\Admin\AppData\Local\Temp\OMMC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\IgsW.exe

MD5 7cd737013abe992880299fdee9fec280
SHA1 601c633b626517fc4498ac8a532f2d789574da1e
SHA256 854935776ccdb33ba7ba17adae447a1f8238e0b69ec37e14528c19b2e0feef17
SHA512 4516c47810d0bbe3e9e576bc68f9c6c757bcb988b34144fb335acafb9dd835a1e8c74e5d5607a19fbbda18f3bfba82f845554d8e95f8ff0051eb7608ec6f0251

C:\Users\Admin\AppData\Local\Temp\cgUW.exe

MD5 1c5026b104df67797596d85d8b6d81e1
SHA1 b5d5f2b2a9dc114834f506fd1b2478bbded07e35
SHA256 ac97d9960032ad2850dac4a2d9e55b7a8abd4d0900bd4617278e3aed8b8effbd
SHA512 078ac13095125431e628e20100d1809e5548c7be43a088cd3e9930cf4d0503c8ae049da30c3d62eef3e432091312894eebe620ac996c8f8c6b9907a3dec1bd02

C:\Users\Admin\AppData\Local\Temp\UYgQ.exe

MD5 1ea147577f7f2f21f91a36f42bb94f43
SHA1 8a6eb6277b534e52a4c434cf4a9d9cae79431df5
SHA256 fdaf27ab5b102b41cc761bcca685b1bb3307cdb83bf3bd9cb13ff77970bf2f15
SHA512 c4fff0c3c4b83233488a0c3449184aa41e7ef71e3b8b78200452dc63f88ef0718f78ad75c5849d52aa13b98bd77e90b10d78788a47c5a895131ae0a659bdef49

C:\Users\Admin\AppData\Local\Temp\AsQG.exe

MD5 bf83d1a25d79ed90e85d13919c81505b
SHA1 8ef1374de449e7aef1bd536d17a5ac9ad507ce57
SHA256 1bca498b39939e44e781a1a88d34165ce4e9353f9a7e125d70aaab0dae588157
SHA512 778f9ce8a8bbc3537dcdb26475d406d4863825d627c71ea18302283859ca3e3dfa1beeaf2c2c47988022398189e51446e141f28c62571b8c6e294b456348cc35

C:\Users\Admin\UQkUIgkQ\SUkwwkgY.inf

MD5 abe60d6b39c1be339ea4eba10f667df2
SHA1 a9ac288eacd02dde467602b436af1155d913b235
SHA256 28ee4b06eba1e29e5283518e0b6cff3ffaec34d04c52e1b09180bcd9e9b41c4c
SHA512 91bc11269e111b64dd544ea3c94ef5cb001d3351ce889301d14cb4ed7f014f0b03f6d350d61535bf32942b7d881067c08d5fb01fe53c6d03b0cf93406114527d

C:\Users\Admin\AppData\Local\Temp\oswg.exe

MD5 aef616abde02e52fd93734cce8e65070
SHA1 9f31b22032c2d6701d0eded89d7666e0dc475ff0
SHA256 b69aa49b465d81e5bce6fa01dc331d733ed5bc01e07417f9cfd060b9c6725235
SHA512 5e4dc76ef88e052b89ac4c0ca80c49a8f28791ae0531432602a0f66db0284bf592275babed435ca11d01a455b8edf2d0b278a5564b8691b3bf009528289b80c8

C:\Users\Admin\AppData\Local\Temp\mkUK.exe

MD5 15a9ff6499fee899b1e2dd827e40f846
SHA1 1d92e50e6d05d7a11ec45ad8a341fd7a105f581d
SHA256 2dd87a659f173198a969c004d4e443fddc86215cf224837514c3a7b55a881fc4
SHA512 f38fac4c7d7873caabf4b1348298ead02bc29341822242005a3d48ca9a1594e3dea9afb81c591b4207ac46c925144e38d0ce4ca6a7557df46981594938f2ea81

C:\Users\Admin\AppData\Local\Temp\agsG.exe

MD5 5f355781c4d7ef2046acb55d70a3f0b4
SHA1 e98c1ba29fa24593c5b8235766604898154cd446
SHA256 e249062de3332ddfea6cc63af5661cc00fa681be4294a6675224fa431bc33090
SHA512 b2923e4df39eb81b83fa2fdb7ee7066b986b88791f415548fd6ce0fce4b08c92f33a64c8d5491d69e52ad38b9c7a62c7fbccc24fe97158fc596f18ab1085b2ba

C:\Users\Admin\AppData\Local\Temp\eoUw.exe

MD5 01d45e37a3963757d9185f546856d453
SHA1 e205c2f0fe24d5142653b20c9aeb3927b8b83f89
SHA256 2a731435327d955b1dfc424274a6dbe24f99bd44eed8e298f95f0be31a4301f7
SHA512 6f96ffbfb3dccbd44086af450cc0b8c7923cb143b20ce55aaa553b5e0f4a6dc0b0bbcef84dd15bfd1fc572acd67316ba1df19772df6689747adfba4df7979f72

C:\Users\Admin\UQkUIgkQ\SUkwwkgY.inf

MD5 46123ff58518ffaeca85e0aaa548877b
SHA1 506b761f38b749fc848554a38ee4775b69823b20
SHA256 a22fdf7711dcb9d52b4d4012084056a212f527e2dd3d7a345ed1b92ddb69a507
SHA512 7b0fdbacc0d79ae7b7d2785167ecfa90c53e8479a875b09054b2aa5f9d6dc784a55c3e3261c2d11a2301ddf3b3951d38f23875615f715fb2653ce3cc559b4b4a

C:\Users\Admin\AppData\Local\Temp\swME.exe

MD5 0b8a1170b3f63288175336c8bcedb38f
SHA1 4f23c83de2d729840daa7650856819c9f52a064b
SHA256 7577e6d953a93765368397fcc7ab3fb256f679fa9aa2a03a0c79f64582e85bdb
SHA512 2414a0980f136858050df1f16087249c1c59cfccd9c1b71e7532737847428ebc8ab4166887388fd6d4404ef326601532063a2a2dca1a996bfc3e03c9250a7b44

C:\Users\Admin\AppData\Local\Temp\CkoQ.exe

MD5 b8b93e73b6aca22e794afc8d48de18b7
SHA1 f55f775f11548a499020eea15b82ad3e3011b4b4
SHA256 0d329d9ca701a9e358e6aec82436f3db758fcbdf5e6e81d0b6e3a271e2d57fef
SHA512 7061e71c75b6171b03a8665127dcc207403729e02c56c23c1efa4b3e29761c76dc10d5d44380f61c4f265523b9bea91d04fd359cc8b6c1b947dc39a530b7fa51

C:\Users\Admin\AppData\Local\Temp\kMoQ.exe

MD5 de43e89258db4156025acda5e924e119
SHA1 ef31c10dd32ffade677e8fc6c9e79b1d7cf355de
SHA256 6338a3671cccec1136a5a1400e10c33c9ce5b25e1abcab6ab748191634aed26d
SHA512 58a92d51b73f14e0b1910adc48030a2ca779550752df2d6bcdd61457e9e4aebc898c3c0ae57c40aac621dc44e3abfbd02a676e59106c8ac5511da2023068116d

C:\Users\Admin\AppData\Local\Temp\KAgQ.exe

MD5 9cc4bf6e52651e4b65c6452da669a373
SHA1 b9a98806b9c8c8832116a2924ea4b6c1ca2d4f74
SHA256 d46ef39a8e9f3bcb9f6582e85d9932903c737d911c3cf8cb53a46a1eee76e3c0
SHA512 101b219168cecde01c84c29b8f7a1bb8167ab4c733a8a31a0739b7e2d7aab41d175e84dc2a76a74b83c139b585ff99534f8d714d7f85cc602dd58d494e359e12

C:\Users\Admin\AppData\Local\Temp\MQUW.exe

MD5 2efd17cbbdb4d4ffd8d58cd54b00a336
SHA1 73f7586634f31995763ccc1b047b4315a6426537
SHA256 2474d826f33457859511447cd7ccbf0a9f68f7c2cd9d271747bea23002efd8f3
SHA512 753c2e99f77e0e72f7e6087d80f340cc30a8ee155a04d6d3bbb2e429bcdff612046ae4af5df4ad28643390e0b91406223a3beccda6201616d9a3cd15e680593f

C:\Users\Admin\AppData\Local\Temp\YQAw.exe

MD5 b176e712c1a399eef24d6243008d7d64
SHA1 0f836e5d3279030c568ee9663040b15736d47300
SHA256 cb0cc75c36606e524b718586b9834ebb4edafe6164435852fd7d001d25a2a83c
SHA512 dd93781a62f3b83e9fa5475ee20a903a1101585f933c99e9e908685155854428e49cc8a06a78e08c0beddb941c0308d3400eca952151babc7877ae7d13e5576e

C:\Users\Admin\AppData\Local\Temp\WYsU.exe

MD5 8b98522e1111c3bcae02e1122b396f66
SHA1 a2f8a084e28e5b8b08128116904652690011c0ca
SHA256 5011892f923d8934c6cbb46ee26b21938bc39561424218c5f75ef18176ea9dc7
SHA512 212732b2fc925a0a16c5ddc54bd7ef717140c45ab366c159d6fa392dab59f0253b9d8595902a4030e93c16279eb35b49e4e373773db1cb6b950a9f9281541b31

C:\Users\Admin\AppData\Local\Temp\AwwU.exe

MD5 5b442a5a58e9eaefab9c9168cdc51614
SHA1 3f462ca871fbfe274fe72e5631c712a3cfc03b1e
SHA256 70368c76b401a9209bfc00735d43b575f8191cba8e4f0ce539defe6337e02ad4
SHA512 10991497f21b4ac29b6206dff6b3ae8443a87bc728f0627aeeccc631837c6994714ca523c2a31a6ecf8383561efd2151f5db5a628b80dbe168606806fc87b900

C:\Users\Admin\AppData\Local\Temp\CkUs.exe

MD5 cc1b16e992c5f3a4632c6d5b17dc8f10
SHA1 6f391abff82b9439bbd082f3ce049bb477bbc861
SHA256 63ebc98aa25c7ecb75ef3f6ddce7b7152287fe7a6eaf61ece4664563a4111925
SHA512 5b7143387cabe609e8f59132384eae9195a53927b8ec7f8e45b6a8c2e656fd054755aad91a7002365610987fbbabf7a3012236dc3248e208bafcdace23cc6ff7

C:\Users\Admin\AppData\Local\Temp\IcMc.exe

MD5 cb621147565fb289e3c4aafa4db2c278
SHA1 d2de1d199fbbabbcebe8d32cb892cea5e55f21ee
SHA256 7a05093d88613a6e096accaaca17cefc7ae89da7b8f779e89849686788a9a3ee
SHA512 83f2890e5942570c15e94d3008148032eb33035f2a0dafe62a9bf7c24940f9ef3a889cd930fd14f820343e3ca3725e19bf0d87c51049d8c8c72a4ffd0750d9b7

C:\Users\Admin\AppData\Local\Temp\CcQe.exe

MD5 158a8ea4e36b61e77754a35c7647df4c
SHA1 314d074f2a5261c5f41349b38d9a60be7161634a
SHA256 0d21058f9400230e4f11a386d121d3cf34a988c7dabbda5591235a3c73f1ea48
SHA512 5f2fe002881f2fa156945ed8473889324e7ed6914e7f65579e7b5cc27dcb110841c123de1a0920371066e8027ce80e4b91b6e6670cbbad2bed3ef2b3072261fe

C:\Users\Admin\AppData\Local\Temp\gwIw.exe

MD5 1500bfe2c35c664c509c4571c95aae11
SHA1 e1d37dc1d4b9643c119f87488018e6f6fe14ef7c
SHA256 435c6f83ab2ea77ed76ffa232c95c799e0920d98e8260e58e3a0075fd139524e
SHA512 75b96acfbf296292458a1670ffb0bf844eead93c93d647c2c86fb41774362b28211dec6d6005ae762277777af9c735df5df6f06d0fe966b4c8aa8beab0f836e7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

MD5 8736432a9c10edb9dc5e6f06faa320dd
SHA1 b8b9b81630230f44018139db4d6ed4d372e92e32
SHA256 6503b533d24c9635cbc9bdf07ed85767a2e07ecf5a9eb002587935a9f11de104
SHA512 8cd989770d0575621d6fe885af5afe1a8af368ffc0033353f54d040e571533ba704b8944f9f0abfdb7b1bf4b6fa52cf0b9ada49d808252d4b48f2d18487c70c8

C:\Users\Admin\AppData\Local\Temp\OAUC.exe

MD5 f708e82ce5d8feb0819e31c87f6f96a3
SHA1 9d6cfec6a2449fc09ba6336b4cd5e70a2d115e43
SHA256 65ade7f76bfd499474bb8ed57e45c592d3e89bb6ebb3ea940c02327e10299020
SHA512 007fe1f65466360e65b3bd1c5c0e75f452f502ec6b99fdb4e863685f777bc0008e811e4d4eef9c31c28b25bb07b8e48e6d4bfb91354974f6d20308f26695fddf

C:\Users\Admin\AppData\Local\Temp\QcYC.exe

MD5 e0e1c43ba4d1c3de43aa1b0ec89993ae
SHA1 7052a2bb0c5d2bb8840f49da01ae7bcffb25de50
SHA256 2041b69143c30ec0c2860492bc0863157ff67bce39f5c504f05d333bfe6a986c
SHA512 39759d7cd9596099648dc042d8c317ed65c2a17dcb925b1bac4013a14036894c5fc8add792587aa5a60ad2815f9d80d0480bb562102fc48c069ed7a9e1d7a99f

C:\Users\Admin\AppData\Local\Temp\WgQu.exe

MD5 7c46584b3ef377f7b23d8d4b1e4d3858
SHA1 981843fae7f1b2a94a7cce698da7c951e649908c
SHA256 384f48cdf49375924e19d5f9108e74e4b0401e4271be33af24f0e85d6232d58c
SHA512 c75a38e5be09578b65d9ddb9dcf7c255c59f1725aef0df1be0e7ac5841b794507cd282056826cb2d0fafaf39673c99d92b82eea740c776ee7996bffcf6c0a2ef

C:\Users\Admin\AppData\Local\Temp\MoYS.exe

MD5 e24f932f5aa3e0bf1d7464b93e247c26
SHA1 48d2d6ef62de8be318eebf28fd0f69d0d42c9393
SHA256 4fda417d942c6de308fa52c7c15c879c9f3db705c14cdb6130c8ecb7f034467f
SHA512 fefc072936902afff955cceda0446254b86d34ea6402b84c0bbc2d15e034e917f543dc370b20dc4894e090f0928ec6c77bbb0380f8da985d0e75bfcb0e3a5648

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 33bcfa787125b481a7d9076b97c85f4e
SHA1 189d1712fe27b617d72991eba068de85e62e285e
SHA256 28ef27ed39f9edf45102d219a6cc5b1ebfa08bd86bb2437c712be56185f8c83e
SHA512 fd055afacb6d96e7d99a36d21e4c3bbe63bf5a6a6be002c9cbf704514eccbd947bae082094487a40c20b5dd25f181bb82ae7eecb28b4e6822d6d84b76bbf0de3

C:\Users\Admin\AppData\Local\Temp\OIUo.exe

MD5 1a2388d684fa72d55e70936338582ea2
SHA1 780676e3b68888c5566ef16917f8d2a2e9111676
SHA256 5c2ceca168dbdb61167db1ae89a4e5be73e17726aed19aef955d5ad9f7c5ae44
SHA512 ef847dad9f3728a075ca63be0362d0f2dab059dce42c16835b6d2851cc474698ee95b821ffc394fc7b02797fb937db7d709ba33d5e58d67b5e9b630b3454a94c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 de40416ccdefb03ae2d4e885689bb7ed
SHA1 7296da7cbccaa090589d9461de33ddc27b1663d7
SHA256 8fdfa86ce9cc9ac6cecf32b904ca22fbd27dcc9894e1bb8a2bd5a337f25c3236
SHA512 9d40c3fee1b26d17511fa4c866bef2b46598f16ce24e7e0e2b0c944885d6f97ebb72dbc8b041a3a6259c02a6c2de8f573ee3a696ab45740bdfbbcb7958c9f809

C:\Users\Admin\AppData\Local\Temp\wMcK.exe

MD5 5248f10967a01aed593329e966a696e5
SHA1 031e02ab8061fbd9666754c6364cc114489127b6
SHA256 554b21cc8dbfb28b6d6acd860dd80477c0bff3b69b0b78e2c2cfafbf8f5dc9c3
SHA512 a975846a3dffda78399212830331b5289acb4eb4a1900e944831957d1e852a36fde969d9b3d9556a9e50558966ef8d7e240fa9d3ebd9ab801d9ac516a52517bc

C:\Users\Admin\AppData\Local\Temp\Iwos.exe

MD5 554a000a108588ebfbb019e9596b446e
SHA1 951a27ded1840e13bc37b708f014175efb1ed442
SHA256 6b95498bf8548dc7a7789663ebdb6ada025e58eff39a19d6660aa03251d68893
SHA512 80e5e619f2500d9657ff1c4d911467f455d53010461486e0cfce30e2e26be6009544a0d98b7b433e76787676d1f1a5954c3fb261a899855ba8864d2812f563e1

C:\Users\Admin\AppData\Local\Temp\MMkm.exe

MD5 8fc4c0846a219b9c8f482f2af76863c6
SHA1 1aff12cd3740f518b29a46fc4815f6ae1b5b390b
SHA256 79342ba27a03da57b04c423c39c87280b0b35f38542fa48be0d586cdbbe27329
SHA512 f00d101c5f61b1f5eacbbc9189bd8ea358d0439a3e8b97acbd7b82f0fae7641f55ac8aaf6114ecdb87306d4c5c1655908b95ee3c1bc35aabbed3bda8163c7ba8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 d4036949c2875bece76193d7320cb58f
SHA1 353d1c66b25280af8f78602cb22efceef6948467
SHA256 cda3a02f4cfcf81a91b2a557a69c2b8d7cf435ec5189146c53de0b795061a462
SHA512 4745cb016265e675e2d0abe586cb30201a591852c65f6d73ce7917aaab8d1768c102c2b5fe105e4bded1e35565af863c64cab91ca3406075cca3fadef0eae137

C:\Users\Admin\AppData\Local\Temp\iwEA.exe

MD5 32e085229bca3104cdb4f5d47cd234ef
SHA1 19d039b34fd1b81387452246f40a37aeaa9c308d
SHA256 55ebe16ef3b5eb3a1af0287ed638a1c1a31dc54cc6e6fdf9ee00872dc8896ccc
SHA512 9328f67fdcc93116f6936f48386b257fde410747270758561d6e070b09b95aabb69d8102aed2c1c5fa2237ac480729f70175862d629252257fb03cd8351d1b96

C:\Users\Admin\AppData\Local\Temp\QAMK.exe

MD5 cabcf011b7e20252cc221b00d3066aa0
SHA1 5197ff514d71272c2a0c28e52e7b9a67b4239eba
SHA256 3e51b1c2e4a6fc4db52b969d4c2b557583af87422494dcd48631722873e58f6c
SHA512 a65d41fe149c78661e4ff4038ed71341666f8d703dbcb1998c2c7e234ea4723d3843f9df8b98b0a97275d43e276b226042a9d62ba2524976e685c155b4a0e172

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 4696ce590ad69f5c411dbca01ccdef09
SHA1 80c39de205e1cc4faedf9919fccc153989a09a67
SHA256 e081291fbe88d8c4831c4b184860e626e0a21ce8394b4301cebe35461f2f0b5c
SHA512 6f075f7ccc42bd90b18cd465839a9c7a9e0b23b1b09f38e8a926348fbf308e2fa397aeabcd88e6a366630f62f62f513f80fd9fa953fa2986c32f566357f93c1b

C:\Users\Admin\AppData\Local\Temp\mkYa.exe

MD5 bda3364c73c1124d8f5c94b35e41c708
SHA1 5a289745fc6d449df00f9eb36cb0ecfea659cca2
SHA256 28939ab87ca0f4713d000b2f2a4ea2fc57c90683ad27f6aa859408c609b74727
SHA512 465aeb880a555e822512f6550c57a6ddb577b756d342eeabd938a7beaa6a53d2fb9900e3c66e1b46ff43ef604fb01dbde2183e6de8df808d2d03272a530e8bb6

C:\Users\Admin\AppData\Local\Temp\wosa.exe

MD5 a95af2c64a939baca305620f9815ec4d
SHA1 5109a487b7e264723f8edc448ac3f192b0de2365
SHA256 1e7ed8f2a9afcc060f83e7e3313c139fc79747db7149deca07431be2563cfcce
SHA512 e6a98342c48d89d130e0d0eae2179a5e307b4636a4840d50d46935f265f3c7d46ec436b87bdc70126d40e8b6394b314eb59f8fc3908cf2898a9caf0cc696e9d7

C:\Users\Admin\AppData\Local\Temp\eIYI.exe

MD5 5bee009b7896e3cd1aa42c1b5d6acd90
SHA1 b913b224ac68c62d1802874290513d5ad07f82a2
SHA256 f1297bc961022923f8a8b971c2c1d649469c7e3b085a46ae895c7cbf225a6c27
SHA512 1068dad12d27a0caf7d9132f76f6c965557007772864716217625453d5b47436aba52006cf6668f30f2ad4b1e5b5d036b2c09347bb50b83b0e2c1873fdc2bcb3

C:\Users\Admin\AppData\Local\Temp\YYoM.exe

MD5 2f9095eb39ae1759aebf3c2efde0f242
SHA1 209e89012e63a57c056121a75dd9bc6dd1395345
SHA256 b1ddb5010b68e512803ff13d4da3f1453dc4a3af18777bc296a7a241c993123a
SHA512 ce411c1a52476c5b2d80766c5b3866256ec8c864cc57a1d8d1e08830f2befe7e4627546fc4fc4ec0337da7222da89930dc4f488e8381b4887cd60f9fea077618

C:\Users\Admin\AppData\Local\Temp\iQwS.exe

MD5 b3939468d0ba97e871f4645b9df8d24c
SHA1 e530aa3cf2ed0b7e700c623de44c7c8b33822269
SHA256 e26d261b8fbf3e865f1411871362ee9f63196648ea8c104c0f42488f7fe73d34
SHA512 fa202fbd7e98c845eb244a8bb8f28de64aaa349931fcd63c7bd2da7c421064ad70eefd13d3d8fd1cb764ded3e747d65d39572ddb30ea1aee112c1f9149e09fc2

C:\Users\Admin\AppData\Local\Temp\QYko.exe

MD5 1c584c543a1ebc1673619aae16458c6e
SHA1 8c0bc95ebd51e16ea14f6f86b20c8d9600d7bb31
SHA256 5a7273bd7c33b2d4c15c5760d7cfda36df4e23ea5e805b0bc2211f676ce0936e
SHA512 8dfdaccac99243a5c4f6a86bb4eb3a028a8bbf7047078b8c88eaec843dbf6587bf2bf523465a79eedf612424e62948c17a7daf7a28d456e8ee0a5f36c6a21235

C:\Users\Admin\AppData\Local\Temp\iIEM.exe

MD5 f260a1cf22b9396ba402561ea81a10cf
SHA1 c9315b5a90f14c64f0c80f157c3a1c7e6f7feb8f
SHA256 f343c7256616b8806eb7efdb1e998f933e6cddc5db6f11cdf6ff95956c6207c4
SHA512 c9eeed0d8cff1459e867e4b8f062d51e70ecdd92cac7ce665da4c9451620e931b7a1d90bc40cc684990c2f4c0866cddb57e139858ae1414aca786a430174a34b

C:\Users\Admin\AppData\Local\Temp\GkgY.exe

MD5 4496d568eddbc59823847cab2f3af146
SHA1 f0115c655ec33928a079e8c04e896f06f25367e6
SHA256 c8e8fbe87949e94ef47442eae5239c05598ce504668c9326f712ded186a49d95
SHA512 b25e346e7e10a300238a117c83825e39a1be6ef233cb41311a0462333de3f6e8c3e0bdf601dbeccd5078892d48724ce95a4847d01614b64fba36d02130b1242b

C:\Users\Admin\AppData\Local\Temp\eIgK.exe

MD5 ed68e3afed9a091417dabafa54571a2c
SHA1 8997142f5b7c526c57527c80a6d3042ed712612a
SHA256 7b986efa49af130991ef34e4958dc40469088fe549dd042b4cee7085b37a955f
SHA512 9fd07c6e67f854d4d7bd3651ee3960ffddd07d3acd378f18f81aad73bc2831913b71ee04bb746839f2f5849417e342f6c2f3e536be570215c4cf79e91b12e722

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\128.png.exe

MD5 7e4cc7e952fb5a9d0c73e5bd461e22d2
SHA1 ac7dc718496572731733579e0569fca27786e69c
SHA256 b29cb21cf115eab50a370a0fcfde40ff3f304eb0abb4a926dedb8672485ea40e
SHA512 cda478f6d3401b318a623f6bb7183b5fc45b99ce921cb4e34bcc8522ad3ed8d5d48fcfd3780b17ab222f94a475651afde7081109436fa2a774330b815e13c317

C:\Users\Admin\AppData\Local\Temp\iUQy.exe

MD5 6e185d72fd99f22c3c31bcb624d1d6a2
SHA1 c0786ba7fd028713929c6d08484fe17194e53913
SHA256 645dc788d0098d80fbdccf9c7d891e57034f78c3b4d7fef2fb0e7cd98d44cf12
SHA512 28054020e43725d8d9d860cac4a50dca327ff80c2c207db070f4dd88c590b5f8be5f4093f633b83ed0d444426c20d59ed52fa7237558f3f4de2c1369bd19a8b8

C:\Users\Admin\AppData\Local\Temp\yUQs.exe

MD5 f7bac5b264e56acbe7fb2ee3fe01beef
SHA1 dbd0c7cd3e158a6af0c8e6f5e3cdf1a5a443add6
SHA256 3fa709ef2fa5c63c493f082114841335b98efa910c99d32c2a954faed79a1cfb
SHA512 29faa323593c20336983deabb73039739bdb32dc803a8df1f2a1e56752a5ba0021d6d267c84a04ac8eb60de0f69da122ad4fddfa5ae6d94f2ed9834be1279c34

C:\Users\Admin\AppData\Local\Temp\qswA.exe

MD5 96cf2de95bfeb17fa4b155e382b6759f
SHA1 6843f0b72abf215d327667c747c3d9448635d181
SHA256 785617e9c9d5e3c2e60176967cd18008fdc526125cbdb3e5c19bc887ab4cb5b9
SHA512 22629d2909c63d67ac24254c2da18628caa38895c38668f490223c8d7a0687c60ba0c2af78f90a4d7ee31a9fa2ba2993713b2bfbda6635738afa71b7e4aacb12

C:\Users\Admin\AppData\Local\Temp\QUEu.exe

MD5 01de265a52630762cea87d3454df53be
SHA1 462b9076aa8b17038052590284ce42442695869f
SHA256 aa93cba6d5b7d903a5fa072f4c08615f45f82d9baf679f20c9483f391fa46686
SHA512 85c03d3cd9a02c037374c84c2a1d85ddcbabee402577fb8431b6cf6e1b78dd7e98278263bf2599653d6a302df02ff50cb08ef56b810e846f0920ab215f83cce4

C:\Users\Admin\AppData\Local\Temp\qEok.exe

MD5 668eb00e7bb175df44fd531295cec88a
SHA1 04e82bbaac447a5ef707d3426de7b71eadcd0c34
SHA256 c62a62d2ba9650331849d6f6619b7e80d760b427f98916ba72324b0d784aee88
SHA512 49c4cdaac8f0df18d9b76d71f96ad4e1dc6838653f67580eb2f7f38e8cde44586f765b9892c4fa192270c35f0372b432efddf35c0e5941c2e3703c640b14e9a5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 2510459e0c2dff9f36ce8bbb357d1ea5
SHA1 a45127ab0fee2af6f0c91c849121d6ec8bf2a7fe
SHA256 6adb01c28625c151a36761520ab72804267c1e80a30cc28780b27a906f70770c
SHA512 29c25072d0320cdfd3ba5935e0a4fbd07cd6a67f44376fa4e70fd7b14bd6cb2c22add08321e63e033ebaeef63cde1cdfe622ca5e2cb3cf452c069da44122ebd4

C:\Users\Admin\AppData\Local\Temp\EoEI.exe

MD5 e285a57b620666242fba8aebea852d93
SHA1 61913fa4982621d98e1acbf4d750472d1657f49b
SHA256 2b7450dc899c10dfa52f1a6b4e5455a6f5cefb9c94d6ef5e78c8adfa2da554a5
SHA512 8dc6acf6c1cebd508da6fd5a15fd31de304969d1b1bda7621ee82526a5f0d9c63eed3889fda76fb1dba88b00b76d516902d76be477bbb7c8fceac3cc46d057d4

C:\Users\Admin\AppData\Local\Temp\KMQm.exe

MD5 4133a446e72fb9f41bd85b2ee57fb4da
SHA1 44448554f1aa726b549e82afc4e315cb5abbe572
SHA256 b0ff873a62d6c25e28dde17160d81839749cca1efd96fc251fd97791c4f92bb9
SHA512 8f0f510209b270e7029d64f03a627820ff3b634845909f927366e6367b97f0576292119a738e33d05a3758093acd4a132a63e6b8945f33283758f9cf12c7fe4a

C:\Users\Admin\AppData\Local\Temp\wYse.exe

MD5 5a9b8bbbcfa1eae826080f7115bb669f
SHA1 75dc2e3a887e8eab1fd14f46302b794aa46b9f5f
SHA256 105ea2de03041d2a3483efee3a4ec49716adc9b64478f942193d13374e6158b4
SHA512 fc69d0137a2ea8a8a787de46c30a2bab7f811dc71d46488b6a950eb1b1cace5dbfc4952b3cf1cc738f3592fc6c3747057ca29ded4725c2f7c526d8399fcc8f19

C:\Users\Admin\AppData\Local\Temp\UIcA.exe

MD5 c6feb8c10222a23cf3309c57fa3dbb54
SHA1 80cc8152f884dea23f66897e0d50cae1d9aedfef
SHA256 61755fcc87dd9b7edfaa11adabb76fab95177eeacb30ff078af4b65350990cae
SHA512 d2672d2472040e84aaa63e647b49d19db7aacaa50e85d7d1b46bcccdcbb973779ff7b38c39c00b1da46f7b0cbb1a4140d64b36431a16c76c481886359cbc5d55

C:\Users\Admin\AppData\Local\Temp\qIou.exe

MD5 d88cf32a7c171947b491feb85101465f
SHA1 e96e85d73e48f4cc6c04cfa0869c41aec32ea76d
SHA256 509bad68233e93466baf684d286805f3215ac7cefe64ce6edf52af36d18c5274
SHA512 2bb123bf8ebc038705819eb043c0adf3d88fe6ea329515a5ac36c886aebbceca3fd85765ded1ef257bd1a0c0ab70bc17ab86330498d4b1f20cd5d0bd2f653ce2

C:\Users\Admin\AppData\Local\Temp\SAwu.exe

MD5 959b37f23a480ec1a884f6bccf77665b
SHA1 bc23140cf2398710b93d90693a0791ef9531b29e
SHA256 d3fe0bf9fcf0f272fda9cdb5c55f8e97458d6624f8893065c711c12f5bdf870b
SHA512 96f9b239943c5bbe298713c82e35d0a57ec874c93b1a2dc443c970562d91d1a53cccd5c4401ee6a948c9e5178609b24a0b29f2c282a80c2fe3aeac6f8909c37e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 b49a2742ca63bd00b04990c88a46c7db
SHA1 6ab1e2056fdfb99fe14591b959f0a9beac9552e6
SHA256 6815e075e7ca89f55a54d88cd293cebe42cc4f09efb5a34055a44cee76c91413
SHA512 ee55e196203f7b707ab4133aca3f96f5df89bde2b0dea85b951b04c3bff42255d4b9daf93702d9dbe833d8745bbbd5928b88011edef18b534bb68b7350e29d90

C:\Users\Admin\AppData\Local\Temp\IkQa.exe

MD5 0e2b430bf31b9c0318d7ffb7674157ae
SHA1 841827dfd1af835a6aca3bc16181bf07461d97b5
SHA256 0670fbf7a839faed10f25e5a360044b36e83f747c281957c023d87a72b8ce691
SHA512 36e378cec9098108a2c95edb863da973bda4080320806f232572f8f7ad73f54725bb790630f1ac75cee0a629927bd801aba4846228bcf8795f33a94092d1131c

C:\Users\Admin\AppData\Local\Temp\IIoY.exe

MD5 1872f1a98c2d4c6fa12e90c41fe5118f
SHA1 29aaf9363a28d56c94cb61856d1402436f6ec016
SHA256 21bb7fbb934a6b4d367b76490e7a42214fbbc94bdc765bd9b04a4967a4f556dc
SHA512 f741e30e87f2c216f8400b331948c49781ba329828827290b0d909f90278335d95d713aeff337872bccd120a3084833cd10d29f9c245b4809962f36f0bfe1a66

C:\Users\Admin\AppData\Local\Temp\kMUG.exe

MD5 3ae9c9c46eac998d52651fe2f2cda8b5
SHA1 5ba043ab2924ffc0c75aaa0a00d0404adcc85e3e
SHA256 66a9c10ecf891c39082e307cb35c92a78c58207b2f1868a5b4b2e18e4779d083
SHA512 da064d435df1204a6dd755b25c05b877827672bd22737f12416a5edf36da6faa077e58ccfb74e59a57ac81f892c67b8544b8b40b8b133552c4fd216b719d34b7

C:\Users\Admin\AppData\Local\Temp\CkYA.exe

MD5 acfc58f0f1e36f9fe34a301ef3785069
SHA1 09f7ed4b2da5df16a703b29912f7b42d371f11f5
SHA256 340a2cb2e5ee7c54e4dfd90035dfb1c8a008c7f5f794f787d4afe5209cc02097
SHA512 e97a3fe0f99669dfd0c9a9fe63afb5e70e6df15fbf343e2dd436eebd4c2a3b41605fd102e9bbb6a0c50c81c0686f4fe67c4999822e03df227464c21ca73dad75

C:\Users\Admin\AppData\Local\Temp\Icse.exe

MD5 dbf95b9521797951bf73dc5b14d31242
SHA1 06819449dd8e8f228d3a50fd1bb787bb3778314f
SHA256 ad96fa8372c25b77d04fdbe3125422a1fdd37bef92bb4213f84ac3c60cb716f1
SHA512 67bfd1efda80d2067e8874fc62650656e781788cd7a17e9ed0eb7b296f4e65d04afba27da3fd3d3498271b1d2ffb16897b90fe4ff1b5603a3b2d33337b85705b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 2938f82bab6dc3aed57074ed7ab48e1b
SHA1 6d52e194b2d1a438e906ba941a07b161b30f4292
SHA256 687956a16e87a0d31c0d3e657b95be30d7e4ffe02a58dc1cc1cf64b6a722c57d
SHA512 ca60c62c9e4cd6cf55bdfa1b8602728f442fc1b4af4f11b8f7828c6562905895f04590211776a0fdd5544d8d38bc951d988a68ace3f6d3cea0bee8a2201a16e0

C:\Users\Admin\AppData\Local\Temp\GggA.exe

MD5 35ea65ff2905cd7d5d1a659d00d07512
SHA1 c574161f98e43ef1c88fae0e89513da1397e76cf
SHA256 023a0b2a7e4a0bdc68c89ba52f653937caed45d2f35a9456fb964360d0ebd82f
SHA512 31c94772080707b56ded290ca5197afbc1c59e3d8297708617dbef0717ee795e792e2ef21ab106a64ad6c9f13a504dcc88a396de0c67d3e5de51f418170f39c6

C:\Users\Admin\AppData\Local\Temp\mkUw.exe

MD5 024c68d8a8d391b59edd1e66cafd59cf
SHA1 bc0b1a983ec3d39cd7887243419a58234e479298
SHA256 46b806f92d9d48348e5ba4f6b9587e26dcc03088871d4b537f769cf3e0dc4a5d
SHA512 8b722e14708b7a3b577f33d3c0f7cd23f1ca63a703b076b859c86f34fdde66f8e2ba2bdade04e588573c6cab77ca30120dcc946d608f47cd9c344f85a5c657a7

C:\Users\Admin\AppData\Local\Temp\MEcW.exe

MD5 d0a07b197206e1d4baaca81dbf679ca3
SHA1 0b5537bdcd612e2c41bab205616517f0731a26c7
SHA256 68b53657a74dfbdfb07c72bfed5526b081ddc8a578e7b245ba07d35cce29ed7c
SHA512 342b2676a7312f1dfbb5aa620cd3a650cb26600e4bc53604c472a6348740817ca9ce2b0373d283a760f928472ce9fba0ecc53b0eb5a9785aa1d5dc6c2f19cd8d

C:\Users\Admin\AppData\Local\Temp\Occo.exe

MD5 70079a185c0e06e1a4763a7f303fbaf3
SHA1 99be451dabd592fda98273e7a8533b2ae664ad0e
SHA256 cb915e3063b89cd3efda6eb6dd2b1b9fd14aebe36be113e3f7efeff4b6fa1c8c
SHA512 995213957922bc7e8a084260a1b99cc7df71866292b38242784555a8a398c22d2d897f877b356876c75aa086bd48b45b42d7ab6a7a72e76dacf45ddd1eb1e7e8

C:\Users\Admin\AppData\Local\Temp\aMcm.exe

MD5 9dec316e5e4d1ac9c4a221ecb5ef126e
SHA1 50f838ad72b5d38c7f9cc594ca0f158d74496059
SHA256 38dec0965ff75ae12f66f884b96148871e9ba76eaeebe76264993823b993b581
SHA512 6e117252bdbb789ddbe65179324d59a124974aa7522a15630a88be7309bbd098bb924382ffc0a25667cd1b0603bb266e135b7275e40ff67224bde86ebf356832

C:\Users\Admin\AppData\Local\Temp\CswY.exe

MD5 5e4bcfde8c3b65f7ecc2386e5469048d
SHA1 ed778047c25b98c5a314aa9afbe60ea1c58339e7
SHA256 b0f5cb5ba774e0296afb257f0d8bcb836c326a8d20cf7b0335eaf6b0088dc31f
SHA512 af7f49a6afdffe0276b462110a43c5617342f3f57bb0c87758d5d6ebf8b0a678cba6ede478b3c52b529d7a60af7d146ee0eedf75504b890806a37788f14627f3

C:\Users\Admin\AppData\Local\Temp\gIYO.exe

MD5 4f7c07892cba2e93b336f30b68595aa2
SHA1 457bb374064091dedba14a5c9a21d7c37cb49064
SHA256 e16ec268de388d81b3b9cebf302e717f72bf195245162aa05b41e47f2dae688e
SHA512 e81a4bc5127385fa4737e2723920b737919cb74b596539fc5013a076f9a45aa694f17d822da664d75ecf21ae3c9cb8c3ce3332e685cfcc70450d459dffd6e1cc

C:\Users\Admin\AppData\Local\Temp\QMIE.exe

MD5 ac539cca4bc723d6228bfd373507cd8f
SHA1 2371aec8dea449b825b380f8c76a091ef038ddd8
SHA256 6d4af7d60541dd68e084c56722c3a38a6d41ac3be0a81851075e1de0c16f83a7
SHA512 c49a42a1580f294679a02ba9aaeea80b4d0e045066e0d0ae9af6aea237afdfdadb1079ddec32608a1048b334a25aedd6938f1238ee6c050e94256c297565b2b4

C:\Users\Admin\AppData\Local\Temp\gUMe.exe

MD5 20a0d7ec80519677089f1290fc274439
SHA1 1e3ff96b9f0c112e3021a08b45672dc600a32727
SHA256 2d45932aff9491e11dd4a739e182a3c753cb804a54bb70337b17a021fb48846b
SHA512 283db8c7acd6f252bc0cd91092a29fe9417b452a1888a5638ebc04dd422799667523b312b005f5d3cf4c7bb47584bd18fcb7b565226ac45219912a8f79bb86c5

C:\Users\Admin\AppData\Local\Temp\ickQ.exe

MD5 b0201019a4f7c9bcbdd5c4b596a15450
SHA1 07adb5bd17f7c0b11ec8f7a95d807d9a2f997876
SHA256 62d6b091c187600acc7ccf506216950fea66a1b4d7719e25cc8ee9a4e04905d6
SHA512 970b2c150faa6e45f5e30ab1ce7cfaf2671a056fe9cf0d78d67cf26a38e4c742188151b0808c409ed263e2371c299baac70649e9820bb231e12ed8006695b419

C:\Users\Admin\AppData\Local\Temp\csAm.exe

MD5 f5910639e633ea8195261653619f8aea
SHA1 ecf9ff933e6e05bbbfdbd0c7fc9f644d6209e2f5
SHA256 74d527cb8eabf14d635ebd3baed1d1621a52c36f4e25d5dcdffdff4bcaf51bab
SHA512 aea0f68cf8a7b27b2f7de3aa891f12f80e9033cb170a17d9067958c00ff755ecb356e9d523c369c3d7f0390dfa82ca0ed2f2a1203722e77b718750404c3d08ff

C:\Users\Admin\AppData\Local\Temp\GkcE.exe

MD5 89fa922590ac51f52120b256af962e04
SHA1 612f0cc413b5cee618cb6d4d4d8c00d3b891c6c2
SHA256 8583ae3c31eeeef1e54b179615c0dfdf8c5733da65282d2a164a201853652cef
SHA512 ac152a46d1995ebbd795ddc688cdb976510b71c5800fa9d94e9dde0ca02a0f06581b9ff438a51fe3ab874ecb6960d111ba9b6952b7df6adda3927680b1d2fc04

C:\Users\Admin\AppData\Local\Temp\EkQA.exe

MD5 62ae87f4e6e349254355e57dae4c8239
SHA1 702ba1f7b5e6a16f39ad7dcd3782f8c26072acac
SHA256 a60c30b428d5dc65796f91100a29ad6f4dd8785e231517a9dd6d84bbcc63b8a6
SHA512 675ade08e906210324df566a1bc0a0251376864a85d714c77c4d3600e6928ee0d5ac20c55bd5e49357af992fab8ecda82bad2d45bfd72a3558e771c4b2651d1a

C:\Users\Admin\AppData\Local\Temp\ioYk.exe

MD5 650f525965b687f1cf9eb870eb4b7198
SHA1 e6b73670305e1e9e4483ad783803cb82ba5be162
SHA256 e3f59719f5ee6197d32d4499173082af8964c3b07460d16b827716614dd058f1
SHA512 6e574c882cedfe23284275e2ad6b1334e5af511bdd79cc9968b8857d2013488a77b81c974410295b0af8ab93e93c5432e3a015ec7d555889c724d2d9967abf39

C:\Users\Admin\AppData\Local\Temp\iYwS.ico

MD5 1097d89b9f8ffe7c92f0574f4dfbda3d
SHA1 b1543f2204d93ae2dfbcb1ae9dacfd910df0e8fa
SHA256 0c344127fc97373520a16b3f27c97914b56122a7a57c6920ceb6083274f4bce1
SHA512 cf83742200a8e75831b3b65945e3e002600fed62430a3f03a3d12826c35dc40e1a045ac5532d757edebcd542cd2460e3a1b9d906eba6d150c70e80d29329f507

C:\Users\Admin\AppData\Local\Temp\AoYu.exe

MD5 a40920bcfd9a73d9023a739c0e780196
SHA1 a883ddefde851e51f0ec3f8f407fddfce5548bff
SHA256 7fb336c0b482d4065b1accfaf513e423f4fd1a81b175cb0edd51865d7cf30999
SHA512 3fa554c3fd171c5b4c3b33fc9346d10ac09fcb0cf22db034328c78b0ba5326e056737e7b0010ee2b50f8ea4d157b596b274e918e4d4747dec7705668cfc86768

C:\Users\Admin\AppData\Local\Temp\McsE.exe

MD5 62049b1e4910ed7dd1651eef39096855
SHA1 04ad85d0da4b24c0a7bf6695ea56562f781d47d4
SHA256 3dd7edd2471e30d3671f4d30497cc3cf954aac1f8b47d194814dc80178c32ebc
SHA512 885fbf8538ed0310b66c9314b1f393ca044bce7ad118c92e44d4c6b503d1891c46e3a98d6570140cffcb532898935e2a825f9ea7895270ad545679195f10e33d

C:\Users\Admin\AppData\Local\Temp\asgs.exe

MD5 08f805f3f6d5646375bfe01b02908714
SHA1 f334199ad4d13982ea904018cf1e36556cec8197
SHA256 87efff5e846ab82b85a1024d7eed83c699eecb467640ee55d03a769ce5d59e5f
SHA512 993647044513784fdf74e17d0d6c7f4c9b031b9d40fabf89b26292333742a15b3dd3a43e2b524d130859b55ce86447d7208253feddeb6b0d06d0c095363a38bf

C:\Users\Admin\AppData\Local\Temp\ykwE.exe

MD5 976031adbf93233ac3d79125c0a1e3fa
SHA1 7bc78a4af7004101e047ea1f88d9be19318a7771
SHA256 2b8c728c666ef6d991bdbff49f29e247214c9d2d6d753143c5d8fa75d3868a0f
SHA512 5bc39eb2df2273125716857d9194606dfb601cabe3d800b07886bcb9372a42868b2133d33dd45ea07ab27e95ca826fa89dd33d986937be7414dd313d37ad7e0f

C:\Users\Admin\AppData\Local\Temp\KowW.exe

MD5 799c1e2a33a536cb3ac80fb621f77489
SHA1 ef4a7f1467213ad3d396db21797f1c99bbf7cd63
SHA256 0c8e62a7583a5ecdc56d46d4d17fc35272a174f16efe736809af36aff9b17f79
SHA512 5381fe07dd1a0ce1077c368a3dfa99ce58be5493671cf7c542cc686842134ffd05d52a6485fd2977b5ba5e90eba94f301a818a4f68a00217221475a192966a93

C:\Users\Admin\AppData\Local\Temp\eQsA.exe

MD5 7a8e076ce31e2c94c9be98724a6aa900
SHA1 846981a4bf08f753ac1356af0344d5c8f1945030
SHA256 1da736a5d2da04908c2675bcc87d8600011ece0670cca11c32d1d90a9f65a9d8
SHA512 0dd0257fae9adbe9d3b2ba52a43959e393903515bfc07d90e725c088808765c022fac068ac5cd4eebfc3beada0cb79952a121c17f32adbd8425ea3bbc7f50083

C:\Users\Admin\AppData\Local\Temp\OwgQ.exe

MD5 b2918a30a5dde120ef617f06f482baf7
SHA1 75e8cd0d11500a36954d4bc0aeaaaf2519f8263f
SHA256 1d925aa24cdad22056950d38da31ad64414237f94f3244d327c6d8bd64578f4e
SHA512 dfd8e05c8ff4713e337892b4a90ae75a9723feabf448a3e58377be9b5bbcb153c099807cda241afaf8fe8f820d742c610a1f9cf174d010e38c358f09c754daeb

C:\Users\Admin\AppData\Local\Temp\gQsw.exe

MD5 7a44eb7c01a9c04bdf21143ade9df311
SHA1 5232652cc4667e2dd69c5427573c18e26781a39b
SHA256 8f92e4b78e419a2cf761bdda253dbaf69790a850186345323dd42e1a0b8448c8
SHA512 2b1b584b2c05cb9237cf5b8bc24b0a000b63f44f0d2c7cfb2cb910153c3f4f246a53a921b3fb214f81d1b2327d05dbb1b578a446ab630422acf420606c4cbed1

C:\Users\Admin\AppData\Local\Temp\OAgM.exe

MD5 e1c7883d37e9f7a44c2a3d776eb61bbc
SHA1 c34c93c69bb9766a452b7524050dd10694d7f992
SHA256 233f31f258323a422f52d8c21c50f9466319b361fcc7fddd133cc78f51cb7060
SHA512 602676a942a310320c546957379f55b299edb9017ff3c295d5d30455a9898a6d9d63c440600222b717258d372b757820f816745c2dad54a3abf57d4033ed1eaa

C:\Users\Admin\AppData\Local\Temp\WoAw.exe

MD5 84f7bc33c5091539bccf36f638180945
SHA1 bd50fb60a07fe3a121b9a5c3bb268ee40ca73afe
SHA256 7928f010f08cd3e608ca730a7c5bb4df71012d704b77f90d4b618400ac393733
SHA512 a4ff9ec7a30e73e36d06d2712b796efa024bf2192bb79a69358e993f8a6f73f2633adfc2ab35a2d10b9261935773d76d74ec4323c2cf86b1f4517caf7bb6d19d

C:\Users\Admin\AppData\Local\Temp\wsUI.exe

MD5 59f19ac90652b6f7f4e07ac1aa01dc9c
SHA1 23f59ae649ad4342ce62c36484f3eb6a6c49919b
SHA256 a49bfced79ecd0aca8db50edf0ad6cca765514abc0181dfd689d17d64fbf6999
SHA512 67370e7006d616690eb78363a3d3cf241f28633661579c051d5e1c75f2d0f5e0d69bf99774740a45fae7b6c442ebdad42d73d77447592df45b55e77e74157f64

C:\Users\Admin\AppData\Local\Temp\QYEg.exe

MD5 a1ac3250454bcb38955b78333a1cf4a1
SHA1 baf0fadebf5ee738fdb9ed1f34a407837bda90e9
SHA256 cc92ec378889a26889c24ecb5c9eb970f96efccbf904a41b9ca3e569575bba9c
SHA512 d333b1315a61a09d1a9af253a0282996cb054d1b264deb67768544b409282cdcdd3661e8a33ee9ed3f09b40c5a02716943d677216a77808225d01a7c8dde1d40

C:\Users\Admin\AppData\Local\Temp\SYgq.exe

MD5 b268e7bf093379e4a4049c37946fd36a
SHA1 5c1a88271f2dcd3d92b815731526344efb436215
SHA256 6e9b050659aa589d74966811bedc2f23954be03d5603bc50eb8c4e37b4aee4cd
SHA512 1e3f8234cd93a023e226956f812507afa244c0961a9ea81908a25c42f41c9156f41fa0bd51a2f16ea16d4a63b7b40605e5f034aebc37c879b69c65c061e2fce9

C:\Users\Admin\AppData\Local\Temp\kUAc.exe

MD5 95478d94c1dd88ff2137e2203e14eca1
SHA1 31d35c975143d14cef132f162c0303692384e30d
SHA256 77601265123e97d59deffac6de8f7254c018315c28eff7149ccdd4d49b172376
SHA512 2d0e22c3fe255120bd68b296c11c5046fe0bf278dab2cbfb64ed5df487c45312fd1750ec3a8e81b81f629b876b6cc50b0afc10c9b5a94878c47bc16daa28c501

C:\Users\Admin\AppData\Local\Temp\CksK.exe

MD5 ac25dcbe848e9fa506224c4297ab58c5
SHA1 929455cd9c113bfd7ef2f5e1cd3fc60a99c40251
SHA256 a7c4817fc517ea6a048954b7eda5b6d0c9f898680abd4aabd2a241df986945ed
SHA512 fc092e42f7a09ced7440d02c5d430fe80659a89e3e8c4a6fdd1854acde33ba009bbd8a6a7732b0636ef676d03ecc19e0cfefd01b64f450e33a31bcc56d31e401

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 ba54ef281bac5983c4c8534980148fd3
SHA1 9e3e3775615a73b6f666f48996022a6991a64392
SHA256 f322e54f821d5a4c2833a1086bbc18c2b428f451bb27cafe925536f5383ff15c
SHA512 048bf313f23574631cf0b5fe668aafaef09ba53e2abb1d61eaf0982b96c952e1a7a0268c2c7fce821d68f4934f3d91624ec0a3952c0b3cac97ce9dacdc9c7c15

C:\Users\Admin\AppData\Local\Temp\SAoK.exe

MD5 49363178326cf0a34ed83fb2ac2cd6ec
SHA1 d37300405477566505534205a5d11b70b7550699
SHA256 861aac3d5a1324b40d13e74788fe557bf44992f3dd853ae6ecf8419f988961a2
SHA512 92ec41e8b568e2818efdcd1fe58fc2b40594d467047d48f00692ef0f21069e3f2eb9807234b576d3d4729e0d19606b026642413af40b3f1ae381527d55ec49b3

C:\Users\Admin\UQkUIgkQ\SUkwwkgY.inf

MD5 c36571d9478d3acd8e55f223c3ba055f
SHA1 1224915a7304200b89fe1b4e9c1aa2d349da66d5
SHA256 d3ef9d3d8f4dc79efdf044d95bfc34bc7ee1e58f66e3196c3c65e381a4e59aea
SHA512 1d84a330a08cc857c19dbe8e2978f254c87b74237d19d03408f453079dde6dee21c6ab2b0f826cb5b0430d995c18552945cf7f33093599a71663c11df2eb1fe9

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 2a0c973bda9f3ea63f329f575675f590
SHA1 a7365921571fcd4bb59ca052f0b10071cd7d0339
SHA256 40059d88f00f2b03305fc95152e6b10f6c8b7e2fe95ec59e65b8c01e5f5ae5c2
SHA512 f3f0a3a07b965516acfeec44d701aa802b21b912ad286e5b4c4fd7d1a8f1de9639aa2b1c5559a6a55e0b93d39054e0898083cec3b0efe8b09b51587206e4661d

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 c2b692bfa704e65ba1598f22d9f04762
SHA1 a0da9a84585f5503d4b2ca6dce364128091afb8e
SHA256 3bbdf8c68582c293f8304f6de7addc1bbf13d4bfe857ec942814d69f2adbccae
SHA512 0c79419ce55cb7a4d259d1f633b591851646b346b8b1d0bc31ae4165e32c632986a45db9368d3034155e62d53003336459e07d75f2f40e06ff0d7c69137d4b30

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 91983d55475f33041a1002d37ac99b93
SHA1 009fed600193855547e74a5132a4a441d9ac7690
SHA256 867bcc936c582d0f54eee0b8fb982a5dd8f5227290ad22c06d3a16f2dc9b7562
SHA512 ef318274c6ccfb1f1453b1fce1d9f47022c13439383d7a2ac527a4986121719a59c3ff47454dcfc8c6d9cbb3ec958b7d721a5ad806a017a712b41d949f85b0ac

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 3685164d6ca43e38cfc3976982bbc273
SHA1 4b6c010a9669baba832facadf428567867d83d69
SHA256 e5dc5321cf4475ce266e7ad880b5b83e90c8db0f25a13ff388b5e951328033d0
SHA512 3c388c4a36febe80c2b0be6093dc516750c657256b8ea71ea93c1b083d989820e761ec35a5c8fb71c739103ac075b2d0ce6c765b502b50c8e688cc64ffc33e23

C:\Users\Admin\UQkUIgkQ\SUkwwkgY.inf

MD5 170fd0995cb152141630733d77e01fab
SHA1 23cd0dd34c22db99dfda78b69676fc4062fa418b
SHA256 1a4efff0087fa758e65f015edf8c63d371b3d79787f9dbb466b6563664304f58
SHA512 71b4ee41c82b1f016adf756d02b9ce429e1079c32341adf66ace4b2c92e6102ee3480b1a8b56e9846fa73e40d6277d8d66c1cfa94102e6b77ec61dac3adc722e

C:\Users\Admin\UQkUIgkQ\SUkwwkgY.inf

MD5 c0b4d4241d535213cb81e6defbe6def2
SHA1 0db8987572fb6946a5a74d067c011a0f5b9b471f
SHA256 cee842da71341769f220b4b2ab85e5286fe1d2512e41ed7fea7bb122feb92a19
SHA512 d699ab154914eba5a8fa68e7c150d2a020a340cbd43edbc29b168e2bae6842ebfa8693f741b8484ef9468518c94f53d5ad34a2c45359d273bfaf70d30bc74098

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 57748bc0f4cdb501e05b086c17bfe9da
SHA1 f829651a647f965b37b59418558a1407f3481a25
SHA256 64d31b18738d07cd209dc3f6aa4dcd6c321130e3c084bd11e33770fe8c84b233
SHA512 0656b6288d8280d3fd4c00401ae5affc217d75bce0eadde8bc9f0d3f1442194cbcdf6358084f03c926f91d4ef424b643b0aed772706ae3735bfbf21021f28b3a

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 4b38324bd99ab95a159f617b73c3b928
SHA1 5d1398677a1fdf7d5454eb19e70865dc04802568
SHA256 58b98ac1e1740071dca46b7f2daafd9d0cb2846d6a7d0d6737b02146fa1f4951
SHA512 089c0c93f26f915da2d2d22f5e09d064723b25c590d0f909f8286f80591d73d688fde26a9002a6aa0adbaa51ddafe7f233aa970ba1c99436f0d116bf6bc8450a

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 e4858191621c7980c96421ba52d6f425
SHA1 f15a3b2765195450cfd81c8d00f13cd633c01b24
SHA256 669a6961b1ecc7857218fb577b634d562a97477d81cfd7651b451c678d682d7d
SHA512 d8919d476c95bf1740218c5c920884137b874a0a743a2a0421e8f28ca4b177a574c3a93df7c21d35767932e5ffeb30adccbc9556cd6b35f7e85d7cb008c6efb0

C:\ProgramData\wQUogYMc\YIkQQMgc.inf

MD5 95a1b9bd9b3aa8b37527d95e1ad1e328
SHA1 23283711612d31f4ea380a364c3193a99f87c33f
SHA256 e05bdb96cffb0ae398c3b5a59c2b4f16eeb663cc8bfcec10443acf13c8ae879b
SHA512 1a163ceb4953ab4ac2cd5c8b978d5a8d1fd6d063f96d4ec9f7e91628bdbc8b9127ea5da049e255cb21b1bbc55ba1a6395119492ab313d35a4effd733bb2a43b0

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-02 07:04

Reported

2025-05-02 07:06

Platform

win10v2004-20250410-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (95) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe N/A
N/A N/A C:\ProgramData\juQAMMEY\rqsMQkMc.exe N/A
N/A N/A C:\ProgramData\juQAMMEY\rqsMQkMc.exe N/A
N/A N/A C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rqsMQkMc.exe = "C:\\ProgramData\\juQAMMEY\\rqsMQkMc.exe" C:\ProgramData\juQAMMEY\rqsMQkMc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIgkkUYE.exe = "C:\\Users\\Admin\\zkAQAMcc\\dIgkkUYE.exe" C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIgkkUYE.exe = "C:\\Users\\Admin\\zkAQAMcc\\dIgkkUYE.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rqsMQkMc.exe = "C:\\ProgramData\\juQAMMEY\\rqsMQkMc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIgkkUYE.exe = "C:\\Users\\Admin\\zkAQAMcc\\dIgkkUYE.exe" C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rqsMQkMc.exe = "C:\\ProgramData\\juQAMMEY\\rqsMQkMc.exe" C:\ProgramData\juQAMMEY\rqsMQkMc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe
PID 5032 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe
PID 5032 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe
PID 5032 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\juQAMMEY\rqsMQkMc.exe
PID 5032 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\juQAMMEY\rqsMQkMc.exe
PID 5032 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\juQAMMEY\rqsMQkMc.exe
PID 5032 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3864 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 3864 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 3864 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 3696 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\ProgramData\juQAMMEY\rqsMQkMc.exe
PID 3696 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\ProgramData\juQAMMEY\rqsMQkMc.exe
PID 3696 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\ProgramData\juQAMMEY\rqsMQkMc.exe
PID 1772 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe
PID 1772 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe
PID 1772 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe
PID 4164 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4164 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4164 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4764 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4764 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 2600 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 2600 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 4528 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4528 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4528 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4756 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"

C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe

"C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe

C:\ProgramData\juQAMMEY\rqsMQkMc.exe

"C:\ProgramData\juQAMMEY\rqsMQkMc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\juQAMMEY\rqsMQkMc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMQogoUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\ProgramData\juQAMMEY\rqsMQkMc.exe

C:\ProgramData\juQAMMEY\rqsMQkMc.exe

C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe

C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIAQwgAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UugsYIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YugokEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmsQIksI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vysckwcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SucwEkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIAIAcMw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEEEowMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUIEsIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSMYMUos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiUgsEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heMMwEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIIosccA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkYAIEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uowwwwQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WywAIgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOAAMwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heMQcQoo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYIQsYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWEgkQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogQoMwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyQMscAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmgAcsAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoMkgUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqAskkcU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAgkkwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcMkcAUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckwQokUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgUQsYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKIMkooI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSgUowkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vioYEEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUwYMYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeIMQIEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iocoAMks.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQYkwMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcocwocE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUooAAkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tskcIosE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEIUkkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fugksEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYMUEgoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqswoYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukMEsksU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raYEYsoo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWksAkkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcIIcQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEcswcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayUMkgUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YucYUEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaYIkwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkwwUQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqIwYYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cukggMEI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGkkgMow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyckAQgA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKAsgMsY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiIYAEsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUcQogAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCYowMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwsYAIos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoMEgIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWsEccAs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSMAEQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xosMAYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQggUkEs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usIYAwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmEAIgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RywswAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiAAwoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKAMswME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWAMwAQM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwwMYooU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEokwAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWMsUQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgkQAsAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOgooAwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmgoQAMc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsIMUoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmQEgIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GocMkEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agAoAowU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqoYcEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMwIQAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reooUQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcUEoQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgIQscEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMEUEoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuckoIkI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeEAUUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCMYsUUg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bqwggsks.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqkUcoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAAsMEgY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YawwsUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkMooQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYssQQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAQEwAoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiwgAsAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scMAgokI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqQAcUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQUsIoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeckYIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSIMEsok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWcYkMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekQoUYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooocoQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yowwcsYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYAQMEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQUsQUso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neIsEgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUAUUAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kikQYcAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAwwYcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCsgsAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LocsMMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcwAMAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scEYYccg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yycEYYok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqoYkQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsMEEwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiYsEoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqQwgUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeUcUMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
DE 142.250.185.174:80 google.com tcp
DE 142.250.185.174:80 google.com tcp
BO 200.87.164.69:9999 tcp
DE 142.250.185.174:80 google.com tcp
BO 200.87.164.69:9999 tcp
DE 142.250.185.174:80 google.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 88.221.135.56:443 www.bing.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.185.131:80 c.pki.goog tcp

Files

memory/5032-0-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\zkAQAMcc\dIgkkUYE.exe

MD5 8560ce03460b21493fd2c1a911f68f67
SHA1 6acd36e7b09d1fe1c0376a415503504a535f90dc
SHA256 a09f95826de2a1b122a3793c536779ed9408f01ae80910c1d8b3c2fa0258365b
SHA512 3f67dee34bbf2faacbad73bb08ead1b76ec4820ba67e56c45c589c20d430c24590754e3c9a893fdb43c07b0902ce91af81560ff2f44f09cbf7aa90ffd786fd76

C:\ProgramData\juQAMMEY\rqsMQkMc.exe

MD5 b502db4f4ee947459bf752e0ad0526f5
SHA1 cc8995b3df5ed3bb3ce5e6c1b4e3dc5952bf14d0
SHA256 3d12c5eb0a3a1b058cad1fc69ebb4d4e1d71d7f70c2dcdf895645b9235f3723b
SHA512 b2ce5bb95000c16baf5b0e5c498afe60d8d50b6a197f253d6cabe08ee3e464193f9c71f27a68aa00a49c39171cfa1bb86fc574cbd956f64fcd69dbd1a210c5b2

memory/2064-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1872-13-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5032-19-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4764-22-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2644-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2304-26-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hMQogoUs.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

MD5 908fa2dfb385771ecf5f8b2b3e7bff16
SHA1 1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58
SHA256 60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d
SHA512 573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\ProgramData\juQAMMEY\rqsMQkMc.inf

MD5 e7ad8fa846d84b7057b4617bccad55d5
SHA1 f7b13e6eaea464e4ad89289f22d89556970f71fb
SHA256 b62f2575351918c81d4aca47e3c2a3a5647a3e5c175beb2b49cc72649021a7a0
SHA512 be39b1915078e31bcf4224348b4c9eedf3eda3502116088c5273f6318142052b63b1c34d59ce239f940febad0db0fc3bb2e7074bbb0d59c459461a298d05d3be

memory/4764-39-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4756-52-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3892-67-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\ProgramData\juQAMMEY\rqsMQkMc.inf

MD5 d158b49279e4f55c8c8a4d0999b6d65c
SHA1 7c06bf9b3b46f38fdad1a3ac4deca9b241388088
SHA256 fb558eff4988695c70e2b08d7c8f8835f979c3298928caca3bef11ef9eb53238
SHA512 b14a3e81f715a80dcc7322cddb5a40b48b775198455abf9d498e784e2d86d849e746493965f8e9f80ad7960213b37f2c50d4f282c6300110123521d81054da48

memory/4496-82-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2296-83-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2296-94-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\ProgramData\juQAMMEY\rqsMQkMc.inf

MD5 95652971572b358fc92b47a4524450e1
SHA1 d56a13b53ea0f744bf5ed05d90ec0a0b5c2f3fcb
SHA256 a0607236ce0f143110dbde6d6abf22d18933db27ceac148671117efe6204ef86
SHA512 8b9df1f70524c667fb6c031023a484675975857f90105e8063299168e17ea9e4c435fea16301d7556cedd72b14c562d3e8dbe84a6a739e2953383cb1a7cb83f5

memory/968-113-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4452-114-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4452-125-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1208-140-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\ProgramData\juQAMMEY\rqsMQkMc.inf

MD5 2a3bb90ba6ad3980ed94122d4e3bb46d
SHA1 b44be2eb492a3519101ac432ac84133f5b23d60a
SHA256 4a9ea3d25171a10e7489557fe376b476b48607a227eaf5370274048e7effdfa4
SHA512 f875e12015c3db03c14f521bce0fbd81a68666c68bc45d404a0e212f8a5dc3447242d49c8cb4e1de80764e4d1eafc0a1e5146633504c40c44990b6dafc6c14a3

memory/3620-155-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/808-166-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4844-177-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3256-192-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\ProgramData\juQAMMEY\rqsMQkMc.inf

MD5 445e73594fe055bb71e4cf86040a7005
SHA1 2fec0c2ed2662d6b74310a9d80ef884c10566e18
SHA256 72e5e9957cd3b311266568e12f537fec44150ddc66d53eeccb2929bbd822496e
SHA512 e6ca85339263cdce12eae52e214f0a06fd92c757b098b313f377a217341a07689dcb84ae2b701b63fc1ac239268ea906ac5eb61652ef80f1d1e479d4b8f95bb6

memory/2176-207-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1648-216-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4008-226-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3812-234-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3408-244-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2996-252-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3780-262-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4520-272-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2416-279-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3816-283-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2416-292-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3408-293-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3408-301-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2312-312-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3496-320-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4680-329-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3464-338-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2020-348-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3408-357-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3156-365-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3824-374-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/468-384-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4660-385-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4660-394-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2768-403-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1564-413-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3772-421-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4144-430-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4916-438-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4020-447-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4676-457-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4344-466-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2996-467-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2996-475-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/780-486-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/436-495-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/812-496-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/812-505-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4460-515-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3052-524-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1436-532-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1884-534-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1884-544-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3596-553-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/996-554-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/996-563-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4660-562-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4660-572-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3256-574-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3256-583-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1604-592-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4684-593-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4684-604-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5028-605-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5028-614-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2404-623-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2828-624-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2828-634-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/916-635-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/916-644-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1308-654-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4080-653-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4080-664-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2248-666-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2248-674-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1388-676-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1388-684-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3652-687-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3652-696-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3520-704-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4492-713-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2988-723-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1100-724-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1100-733-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3476-742-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UYQC.exe

MD5 f26eb850e61e1a1d0e46fe25254b1ed1
SHA1 e1839308f601d88559b1048125e939e2a74c861a
SHA256 3023a9dbebf5a3688206766691228ef412335102c48d3963a25a25cc5ba27f99
SHA512 f84bf23ca581cdddef6e50c331bb062d1d4e485b363cda577a217d3ae00632308cf9d737aa849c2fe9adc5dbd966fea54433974345cfb83a1cc2392211724eb0

C:\Users\Admin\AppData\Local\Temp\wgAg.exe

MD5 979fec104d864dfe11c36e0a9d306a95
SHA1 a070cddb5f2331aa2d41ab5236c98f7098fc119d
SHA256 6330d3663d7b88bfca200c36bef49e893dc542816ecd3c178e8a3ddcdbf056cb
SHA512 1d55ecc187048b1e8b9034e3c5d0b77887d54b4f087eb8029ebd8519ffe2ea13dc4771e9356b17bac3902646130ee7e8bcecec6942bb380261149c21d467ae0a

C:\Users\Admin\AppData\Local\Temp\mQoA.exe

MD5 20f80be09b02934a4b9d61abb0caf330
SHA1 3c45f33f2e8d3265c624d678aed5763e42588d8a
SHA256 b16f68692db51c987cb2947dce21bc3f89de0b6641516bc4514cffe05b560bcd
SHA512 02dde10ca13f09a49c1cd1127783fbc8cd4809837a836fbdcc3a6672f86847dfefa43d9568f3ca52fe1bdaf5b2ca2ac645a8a92f166e666775014abd9cd06aed

C:\Users\Admin\AppData\Local\Temp\kYUk.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\qAIi.exe

MD5 3033eb3057660c81c0703319b77d62da
SHA1 6f243c93c7ac8ccaa8db5e7c9a070eba17ebb573
SHA256 3975486d5817a8d9ea2d3a8b28ce2528b7e8b2c15f9c6a2af86c9a1af3891c37
SHA512 2de0c968173ab33a85f3b266f81003e91301fb60bbf590735d1fb0f47813c1d3d901eaa220f03afda59e3e6123f5250a98085aabc7b4c5fa027d5851efa4c07d

C:\Users\Admin\AppData\Local\Temp\CYwo.exe

MD5 21ce45c5adafa76a3b7637e6017ed750
SHA1 f46cb2a5389a59bc54eb7ed378282b1d8706a41c
SHA256 863a897910da826609e09b6be2c203183060ffc2c237650f28864058c16efbe7
SHA512 d392e071edc651e96591c63da7f67337298e22b683e6d601d46d16559e6e0a73902727e3a9264355b40a854afc8cff5ac891358256c235df0e5bfb1e24700a3c

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 c5a506c62668744faabfba4dcb2ce671
SHA1 3f02996aa530c3e4ce5d83949fc21d31821f837b
SHA256 5c308f4aa8bc592722ec3f42302204a898a41c5d4f8d06340e52521dec6dedc5
SHA512 aaa4baf745db72151c3eed5316f651434eb9ab669b198ecb35a5832f0ce563f7fcc77231f6c854d8ac9d2aa95010da88e67c1c057c74d5e6a4a11e03c3ad3946

C:\Users\Admin\AppData\Local\Temp\CYQu.exe

MD5 a68f1ebaead6d16136f21a5755e23e16
SHA1 fa10a0479e55a37aef88fd4f9f2ae9e349544f79
SHA256 529e8480ecd8e233091db851b3412c4e65e9f7aab6db9391644f6ee4981fde61
SHA512 ec33e8c620ec8ae75ee78c8996e91339a426322890523da9a182c0180ac9357cf9d27825443969a0e721ff1626b889cff4c361630467cad11f85dd3503dd1cad

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

MD5 66f9da6fa008e9d0dab55af4f9d10d1e
SHA1 e285f0e0017ff499e39705207a4c58aef99e1b76
SHA256 a9b4e1d654e9a2506fdeafedb537f8ac8db26ceb08c74787fc83b0990ebedb16
SHA512 108f7ddda397ef76b0bc5871adcf7da9470c556ccbb37920483d21456514c2e1d87b3eb94c740b4bc72e737f4888cafb5e613058bb7772cfe205e9fe325120cb

C:\Users\Admin\AppData\Local\Temp\sAUo.exe

MD5 20885acc2318ccfb5612e7bf27aeca54
SHA1 edbc8de156e21a26348d25098b73eba5472f1790
SHA256 1d1e46443b3ecf9e2b71fde8c9e978defb1cdb068b2ee0a8f4fdcc854316a3db
SHA512 f6512dcbf663565471d208c931d00ca9d2329e249291a4f4eb6b5fd2ec8956a9437f93609f90e1a2927d5afa717adf222db977c4a94f59a5276f95456c5ea455

C:\Users\Admin\AppData\Local\Temp\goUO.exe

MD5 1905cf7f8c73dd2b80d617073ef8fd1e
SHA1 918a4f83d713975f0aea91e9bce7b9448a19535a
SHA256 4fcc1ea8a669636475b7ccb127a7c5efca69670d3f10128455a84120c0ceca2c
SHA512 b7b296fa51ba29f487c48d7a6dc026d2d0f160e67fe658e5b711b2dd573412f42d0f7f8cb2efd83e74c46c1c431f3dcb83d58e17d376622d2d2f35da33e7dcd9

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 e51e07da345ac5b86a98185a59982753
SHA1 46dfd687ddb537485c8020bc4140e762491e3d4c
SHA256 8f56e3aad2752aa5a3b3e69c8b42c0665377d2a60609593e75347fbb3b474c0d
SHA512 d0b27a7600f1f42fcdcecc082d57dfe3c1cc07d473d6f2f4bf89549bf10c9c76a68abfdd0472a977fd72b773b26905afebd5074e1f9a46ef215278da8f60c941

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 a2036df6c01d941a73c064e6cc00d986
SHA1 0071c4aef96389809e93a796e0e4238c7891d258
SHA256 0773f30e569b5c136e30dae10de03e9caa911c8ded90b0763030e1b71a3b7142
SHA512 2a36f9272e2af2703ac4bccca3d2a9987ac09de4660ec326e79ba2b33007b2e06d7cb2c86e467579f93becb5b2b6bd380e5bc4bc607bcf16eeb85a194640573c

C:\Users\Admin\AppData\Local\Temp\mcUi.exe

MD5 bd33253db4af015d8fed4222717bfbb2
SHA1 74e1a8dd0d91b6bbbb4e1b77b1149e765d20302e
SHA256 cf8109d9926eb01e6b9036e43a4fbc30c34a416ae89556e3ad2f7f53e48b1bf0
SHA512 665b236df9700c111e7165ffc19a69130b2a47ffe155480155a1a2ffabf2d1652282f3421406aa6fe09eb66792a1985e7473f602878365b719c72c9b6d1b05d0

C:\Users\Admin\AppData\Local\Temp\aMMm.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\sMYW.exe

MD5 a1e8c9829120e1257ce4491c3b85d7b1
SHA1 a4fc16e189b14507828d4a1cb674946e19b5ec07
SHA256 509a485b58b3e7ba74b84d4251b7b6684fc09b08f669e3f0e12abba79b82c52b
SHA512 8e7115f6ec35f9fa6dcf89288ce917d73922d76f2962fefa8620d96ed0bb8ccb7411cdfe16f8cb0ee15c3db0e7dddafc5bc985cee963041b0a6ec495a143cf13

C:\Users\Admin\AppData\Local\Temp\kMwk.exe

MD5 56c11da4fa25b8baecb558f2cede593c
SHA1 3679956131000441d80d9bad457c6fdcdc8637fd
SHA256 f3bdf07d3619c3d6cc18dc2c392a683037f406eaafa3b9693afc59f09feb4e96
SHA512 c24505b4ce7971308de33a409f0087dea32e134d29e028014b982d6ae20ddafe1099b52178fe37db9f7eb18f9bab1d4d84eb7ab503a2c851682da4c0022f3578

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 2d5140b893629d845a9d606ac8c2ac1a
SHA1 23557fc9a573e44c623981101775c7fc7e68aee5
SHA256 b42efa52ea69bb43a1a975cd10599fbb65fdbe8efd4c253a251bdda1b225da52
SHA512 2af6327f2dfd5ce403d1a2bc381f76f3aef8eb692b724a0adbaa5951b544fca9f7ba5f3b52ce6d7ab74bdb90df33831488b8f95fd9694381ff6c01c93fbb0003

C:\Users\Admin\AppData\Local\Temp\GcAo.exe

MD5 c06d691027d6ff40cfda32500f7788b8
SHA1 eb92bbbd534624f174aa78ffc3b102c7e49beed6
SHA256 7a6e9fb64a1c4a41abaf772e96fb78c05cecb64c09bd71f641c75098122d094d
SHA512 31061d7960fb2ad28e72ea45bba24ccdc1399cc0502e17fd84e210529a589bb88518327938659734f2991dcd0f2d4cd70763338f05c58b823df16dac2c78fd0f

C:\Users\Admin\AppData\Local\Temp\cgwW.exe

MD5 cc09290de4752a8df397550edce1373a
SHA1 914f377234da4ba874e2755acfdfe960259a8da0
SHA256 e08628a39a38468d85aa9436425fbd71dbac68db704f51dbd9578a2a07c20dd5
SHA512 e11be9a1769f23af0f3c2f9318d30812ecfbaa817ad6e9c59d1f0a7c1cabdcad6fab03e33ad15cf5721f5ee77cff8ad198f8f351a5f6a88e76bb3778aee201fe

C:\Users\Admin\AppData\Local\Temp\UwoY.exe

MD5 cfd7e3219588b14f085b2e987c62cd7a
SHA1 b071b415267b8c15dbcdf585b1bb2a1e05f7eda2
SHA256 61d9374fe805dc1baeb785920886fc08e0890c11e3b2dff31a1b9e46f4ee412e
SHA512 76644c9c511de4a8c2109f358e82e037ff0f5de7931e343e9a1a0197d3489de5f098fe9992891bba83680757e910117278a30d95452cb981c1bcbc00ed9c1d96

C:\Users\Admin\AppData\Local\Temp\EcAI.exe

MD5 964da6681311bf692f6833341c7c91d7
SHA1 ffdfe9d3246ab1b1a400c8e6cad9bc5452419154
SHA256 32760765368e76e01be0a2aa6260fdbc5bb6f5abb8f5ba07da18e9259d3b924d
SHA512 621563c3aa3735a9326dcfdff7f2c7888ff3db1f846971d5d2ddf49097b93c1c736655ee21d5570f545d6a957c1107dea7553b71e7c2aafa343caa4cf0d098d5

C:\Users\Admin\AppData\Local\Temp\EsMO.exe

MD5 7b1044825c0fb3ec2dadd1ed8b095757
SHA1 aa37e7fc798aec2c545761a67c159fb9d9ca729e
SHA256 1a6153074f466e22ef935b7fd3d2acf0d75601aec78f7cbec6475c996d50ed8d
SHA512 b7063118a76205d4170feec2e99c2b83adfd6835a64df823240c5618cbe34fef95fdfa7a335482a2a227e534ef2649059d4ca5aea5b13fc2bfb588d08e93d9d4

C:\Users\Admin\AppData\Local\Temp\AUkO.exe

MD5 b59220c14a5a3dc9fe1e293bba1e346c
SHA1 816e1c9126086630c7471fdcfa210cebb67c3d6a
SHA256 7f533686472c58ed728b47b3e49bbeb11fe1bf4524e756a599674d533b8fa67a
SHA512 713dced80c795ee5ad7a6fdbc13c535c038e0d4dda7caf637d50259dc94a4f78c44e383066177268d272a41cfb5e3279b8be4f3d9355c3216dd19a663940c41c

C:\Users\Admin\AppData\Local\Temp\yQko.exe

MD5 8184d911e7b9c041cfc5e263a15798de
SHA1 444aebef2bc1d61484ced01e7203f70fee8083ef
SHA256 98a9b4d295a012955618f445eac50c70ca79051201c3d43048d66fefd5ebc99f
SHA512 3bb8e55812093b656ec867ab7f64f5361506fbf20d440ca3acdcb50cbfcf1fb3f49c24bc8ec0fbb4bd5045f1b38e335e8ab0feaeecca4fd92320bd5584e1957e

C:\Users\Admin\AppData\Local\Temp\WYAW.exe

MD5 48f911025cf94165df89a6132c8f7f19
SHA1 6a9686b5e6e8c4172357054b4bd666bdee69a8f8
SHA256 06a670f13dc42226a9b9e419ce285c3de40f225298cda46dbcf521dc1d462380
SHA512 72eeff2af3041c971a9d833adfbd0fe1d1cd7f6a72b38348aba5c1c90d4b11044c5449c9b020881e1839de69e42ff261b766edcb3d75dbb367b3a78c029cd338

C:\Users\Admin\AppData\Local\Temp\GEkg.exe

MD5 5c203d866b2d8e496bc5db40f4555c83
SHA1 6f115e02f386e6305e573ccc721f6cdde983a1bd
SHA256 a278ff373f7bf9c89c3dd04e695afddd8ec92eca5b1d74ae1bcdf9a909c66253
SHA512 185298de77967c01fb34303c4680561c45f82ed6a2172de9056e8aadd3df67fc609bb4ba82aac48fc54c17ad6c39968cde886abc807fcc6e81c1bd4e426d8c59

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 c009a2f4ad9d50c9ba7da221acdf1de4
SHA1 c67bcc998f0b49b2195bddb52a87f405c57100a9
SHA256 8b047478619b6c26e6c0e85f2cc3fe37b97fcbe09fa74fc0025f1c3bb9bf42b1
SHA512 1634087f7a252bd801aba0f96e5a3e88685372f5fe0ac2e41f81a5a6aac282ce2172566c9142447a99e54b56651dd794038bcf1076dc0e87b8d8527850e62c54

C:\Users\Admin\AppData\Local\Temp\AMcM.exe

MD5 b8c801b0e4f574c124cde552f3601e7b
SHA1 7386057567dbb9827ce6e36dc9b5b140e81c5b38
SHA256 1308cf42c34479dd0df7c401bd3e1d41fa71fc76c17fa5bb8eed673b86838d8a
SHA512 4f431b755c2784c90170a67fe8142d9aac63c28b0c9764cf91461dd5bff259256da0329bbba759947c6eda743d6978594c5776ab728cdb1f97f299ec627a93da

C:\Users\Admin\AppData\Local\Temp\aIsU.exe

MD5 2d55936764c03657458297f2f274cb72
SHA1 9826c973d46d3ccab11ee9f6e24b07b1527ecd68
SHA256 0556f4ea1d532149c677c5af0d636a099f4b06237ab87cec661b9a0f6a5601b2
SHA512 577eb1a6ad8fcca5a54754eecc46bca0d9ed569e5597d4b29b0909e7e6b10ff748a1335f58d0b3a7f06a563ab19f9e6ac8ceb96f3c1cdcf6ded187ce45c381bd

C:\Users\Admin\AppData\Local\Temp\wEUk.exe

MD5 08f0ca4310d0d6021dc0393794997383
SHA1 db2197f0ce9a109f598d4b4b43b73c2c9a8379dd
SHA256 b36dc37aaa5f8437fa709d844cfc6a0544aa9911c6bc175dcb7fc846f20aeabd
SHA512 85ce5d1fe4b8f437df06a194735fc0040bde3991012769a11348c2c986ac995b194970b6b9b1b8975d8ad250058d65abd16d18a524c47f1b456354b87918de5b

C:\Users\Admin\AppData\Local\Temp\IQgY.exe

MD5 9f26f05f84e32fa53986b4dd96b21325
SHA1 b5b56d020731f0a7ae1c94dfe08223a83835053f
SHA256 6debbb12f29b4356e63b362741873c9e5606d65ea1182f4aeb7a1d06becf4287
SHA512 bd244d660c618496c28fb361926faa0148448a05784ed83089a1a77340453434bdb5333dbfaf8e057615c90522eb34d0297b66fa594b44248c4286b7e180083c

C:\Users\Admin\AppData\Local\Temp\igkY.exe

MD5 f62c6c63f5661606d919613f518a6f59
SHA1 0962798d0958c72c689f7b4ccc7ed3cf6def3a88
SHA256 5d417df5c4293b3d8cd42eea1d9764ee9a82085bfe2cec714964409ffc490e27
SHA512 8a6d5cc39f9ae63548945e2017bfa91ac1223905d716e4a987fc099682671eada96868539e1d0b499daf62ce1079d97eb76c1a004b490d86fb27335e8ccbbd9e

C:\Users\Admin\AppData\Local\Temp\iosE.exe

MD5 5bf3c1eafa534e1e9f14858e22b50af9
SHA1 234a9773c848207a1291de2cfa67cc8a88e0acae
SHA256 3b5177cbce35c3350fc728895f9812c759d73052389b295e57047365382c8238
SHA512 d893082c5656514b8b71741fa9fd6d62da9d8929ef3eff95eb8df1f831381231aa78a5cb4af2dc0589410a3f6576bd6ebe749e1f737fd317fd5f620e00cef1c9

C:\Users\Admin\AppData\Local\Temp\acYk.exe

MD5 e9804a86ce3ee3780b753c25e28a6fbb
SHA1 7a06c3d093e70564f129c11d40645e3578dbef60
SHA256 1657906feab7018b456b1969ba8ba86c347889a504a4b67f7a290b9617ada5e7
SHA512 f3c733a9377097fd0f66bf4c8dea5d008d08ff75ca23d62c5fc891f3ba6de066feb3084af23ee1adf0c318450958e558aa63599ec9db17ea5bf4e190eafa14c5

C:\Users\Admin\AppData\Local\Temp\IIUk.exe

MD5 818267050cd59a2e0f8e87b45bdae48b
SHA1 47c454581a1a50aeada2900576a83787e9dad07f
SHA256 6ce228adc95423c7e50132ccda280f90a95e1a0bcf28f4b185fa499fecbbfb45
SHA512 e7a28dcbc95b1ddef566a6bda4e500b43571968e8575bbc01b63dcfb6ed92baefaf74c45a24c249f19f29955f30629b72f1181d22b742b14dfe9f5053cdbff88

C:\Users\Admin\AppData\Local\Temp\yAEi.exe

MD5 625830109c7ec67f7293fb1b3ec940c7
SHA1 67a32e9840e2c0a8ab541471d8938563834fbb50
SHA256 d79d2897c288e145e9b940ee4171367409744a47baba516d59fcd01f5ce005d7
SHA512 e18ef5069c4690ff2f3e54051de54334123b87a260e95c30ba587e4d7c39e974e4bf57e82f0aa5c7ad50a4b61b1df6d7edcd35fcce3f2946a6d4221d6f105b42

C:\Users\Admin\AppData\Local\Temp\ksEk.exe

MD5 ba8dbd3fb1ccab73a692e52d4e220c45
SHA1 7ce38f444c70352ecd93c44fce376b19fd14f098
SHA256 62af5c9a447eec3ca089d42914a8d06903718817e5edb8779ce49d37828bdfb5
SHA512 b6169a5064c244d423bf269a2184c6a3b67d65db143cc518ab57d0a50856b41338a195c7caacb7c87f8e726bd57c9e34f4958fdc1d2975fff008cfd641b119ce

C:\Users\Admin\AppData\Local\Temp\usQg.exe

MD5 0d9691e891c08dbcd4fdd8ab8626782a
SHA1 19736b6500116a0c2e4a35e2bde6d02846bcecb1
SHA256 97d150620535450d554624e8c2ae620de01d630773a9b7abb5fc96081ad138b1
SHA512 8df918a7b0e21400d5d7c939838af08fa6224536399ac4dface8084a0796b59dcfad3f2b1f7e1707e7b2bf112b02f3d5704b193cf6d3b8471d55542805d108b6

C:\Users\Admin\AppData\Local\Temp\Ukoy.exe

MD5 5def3375b30a924d93badc0d5208786a
SHA1 94f78a6d0f56ad69e78eea862ed29f9afbb386c0
SHA256 2bbc99ed4c8cc7470714089b5adf97ce3e7d1b982233d4a2967429446c1b1de6
SHA512 250d59dbcacbb18bb912bca5597fd48f7f8539a352c97c45206c5193b70923d2d02ae977a1377405430386ef4a37fc6b0637be64626e21668226652cb93033fa

C:\Users\Admin\AppData\Local\Temp\Iwki.exe

MD5 13b81180e1925badbbceee2330173660
SHA1 2b42d00cc35a227d0f90f078301b38fcfd69bcee
SHA256 adfb29fb14f6022c19bf8805428579fdffa5535616406661db47aa805aee2218
SHA512 a5732abde50dcdb6d1de01d397ea6fc1b38a2c3da10f679b29f01e149100d6d47beb4f373ad5a06f6c6e224325de5942a6a6359785541f2fc7d5950a9cdba179

C:\Users\Admin\AppData\Local\Temp\mQcs.exe

MD5 4b7a2898bddc9b6b2e76f4b2560c2717
SHA1 69bd5c392cc26a0056e98ed2a4c2a6df630760f0
SHA256 fbf3d17c04237f5f111d4161c41c437343e1ef2efec9d432a02380ffe9ec6db9
SHA512 0ef62272019f40534d335c5332e413274b2fc6fa05aa013bdefb293af40133b53c2f0949f16ec00ebbbadf915d69cccb2833a41dc4997e573b51e17c253700ee

C:\Users\Admin\AppData\Local\Temp\IcsW.exe

MD5 184074ca91236c652cd3813700bcee12
SHA1 927f77ff1bcf4f49505b96dfaeca5a2c8490b216
SHA256 98a521f23e5302c56e9888eff04cd8d630611db15e799b34bf5d15ce3e1cc79f
SHA512 a7499319f1f7d6fe691743ba3a192a3fc5d5db596c96bb9bc7f608513e0a557df9840d898c69dff3873e9fa545da5826b096c999f4de4d80a11ebae8bb5bc8bd

C:\Users\Admin\AppData\Local\Temp\msQo.exe

MD5 b1e2b0ae1109aecaebe0722ec6562013
SHA1 706657b1426e1e8edccfb77c64de200ec9c34786
SHA256 7f554fe1715ef5a90025e9d834e3ac0bed59b3aa19f7230f42fc7541708555f9
SHA512 b9c0aae56da6f419c48b02b156618edeb917d44d2b68257d9d2a0b21446f7316a9415a8ddee5e4576ba506468445082f8e77a3f89d7fbaf5d226f750c7c7c4ec

C:\Users\Admin\AppData\Local\Temp\oAQe.exe

MD5 c21933fa0e4df74a689880ce214d7e4c
SHA1 9b7b815dc99da656756823a6bd63292e4628c130
SHA256 716121547c50332915d7d4fb9f90ad3547855e7486acb307b96beed9855c21e3
SHA512 a3a01ff651974d06aadac1dd401c54af1697301b1681a73215f509e87e9eef87a03e5d436d4b4d3f92a6e7b092f8f827de9e5dd7565dd20fe22d8c644a85a4a5

C:\Users\Admin\AppData\Local\Temp\isQg.exe

MD5 7732c503d079f52062d308c19052b320
SHA1 927d429a0645ccd8f1e9f30f33851c95979eb8f2
SHA256 db8baba413632ab2e8a264c7e382efe4d47a4002f92e208bb12922c8070ffc4c
SHA512 cdc30a10acdaf9da1811b33ff7985dd037c40e1e158ada1b19cc5e10cce0bea6f36f0c08a16830165842301863e1e5c4b62ae3477e736cf914c58431bb030567

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 8c63aea3f65023a44d0529efede0e7e4
SHA1 74a5be9444622e10476f2a857efaadae8bcf06df
SHA256 d9a13c218a77e88f5fa9e3bfce9151edea606a66bee3c0260aad3963aa9a25b8
SHA512 e5db19f28c374972d0d2abbf36f46e036d89e5dae090690a1acdac1c4b56354949d43111c7abc9fe3e3687c7bc9677a19ec0d5a7e280e4f67844d846ad0cf161

C:\Users\Admin\AppData\Local\Temp\UEAy.exe

MD5 63d85f502cb4018c0955cfb13083013c
SHA1 f5eff78c54e206316c7458291574fc6b33d0b394
SHA256 74d3347c144f55e46fd591ee6dc657a1bbce8b6ccdb790d018e1ec0d42cfe42c
SHA512 12651627b037f947034cf7a32192f92e6d8c9f75afd0b7ea3e581e93c5c36ae2235892f5828fdcbbf51249889b476f6f9fdf52c631184da09b2dee840cd4a24c

C:\Users\Admin\AppData\Local\Temp\EoUi.exe

MD5 ef262f389546832972f4a9e76f7c5200
SHA1 05b67a0eaa43513861ea53c0bad03ed0295a8bbf
SHA256 011a4dfd43cddc54f80ccafa03630168d541faf4185b03d1908166dd355f7709
SHA512 92bd244dde849bc236e2a63e1930902fe3f1a266b475c75af959cfd74a52ef94779960afeadbccf173acd0bac25ff01a6d087535e9d8709879c9f1d1739044ab

C:\Users\Admin\AppData\Local\Temp\ecQc.exe

MD5 bbe0f1f0bfa59feda5b68b6ef8136a1b
SHA1 03f62d7c076981873fd3357a0638b35cd7ca6656
SHA256 92ad7424f1e74e2bac5ad2c5ead42dd27eca1833904c8a85dc0388458079dc61
SHA512 1e39b740c540003b26e52f728f939013163ff551a19cb4ff09f6ad9ced9b23259afdee95540329508452f9a728ae92f0672cdb3e98a242dc9dcd131c1936030b

C:\Users\Admin\AppData\Local\Temp\CoIY.exe

MD5 25615ff15d4f6643e75c4430ff0896a8
SHA1 6af819e5b7e01bf52d6185a08de010c1bc6273bc
SHA256 ecafb15b87bf5e7ed0b825c6c47242d16d99bf2afa773c7a272cfdccb799decf
SHA512 f126e3a43c7a2ba66e753db565f920fa6071da6abed9e61be53a16823229a8a1216cac37fdc7a40fe482b9d1ede8d12272dd6b16f99342697d5be29a42edb4a6

C:\Users\Admin\AppData\Local\Temp\EgYG.exe

MD5 69bffc693de1111a307c3e288112c34a
SHA1 9e239498aecb00f01b1a2c6d72df1c030de947c6
SHA256 d5d361a68c7a200e1f2d4f3a486211239948c2e9f709eb9fdbee6ff89c47c466
SHA512 04d6f3bf840712eab2097a7e968a752744706ec00e67341f74fc089a78eed61f5ba179061aa5df3ffd7dfceb3f8b187888b4c1fef9cff172f7d92d92aa4ad379

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\192.png.exe

MD5 b92d5d96dcd57f7dc163986a93b33d0c
SHA1 4ad9e98bb25f6c03d1f53b5fcf1e9513d9447f99
SHA256 8921cd84e08f1dcc0435b41166c6a7018e208706fc39b3962136ac9c820a82fc
SHA512 88a72b0a94f718d4108aac92695d969356c0e9b00b4a8513b9e6564503ebc6bbc858b79b461371571afb3dab15661fb9a27a7b30b2a03b079b3549ac78808fed

C:\Users\Admin\AppData\Local\Temp\yQMc.exe

MD5 7a990822326b248462c4acbd5de3f43d
SHA1 8e3f9df3196d60cb41df9a20fd6f45ba5e5c91af
SHA256 a5984afe17453bbb079ef421fa701e1a55216a281d5819554bf837d0e90a2d4c
SHA512 436ded8058e118ae1e6d9ba4bfe0f62423db7e92724ba507653a6b16b630aabb1087d2088e5ab36bfddea7842756febf8da67fe7d64df02c70527eaff06ce24a

C:\Users\Admin\AppData\Local\Temp\Ugki.exe

MD5 003d6403a71b4511f85aa1202ec28cdb
SHA1 a4f331606c70011a5a8bc2216963c54359a47444
SHA256 7e76f63c426614dd1625a22e57c023da7a2f9d265f58004eab172974bce76591
SHA512 ccf9ec0ed086bbc27378542124eab4a26ab71f2d376a010f6fd622bba98ff592ee4c35c6d6c8a63428bf6585effdb3b2ada82c01357edd9a4f2bd044fb0b326a

C:\Users\Admin\AppData\Local\Temp\gAAM.exe

MD5 e8d278d0ac4fc66f978aaa2924a2364b
SHA1 01a625be3e847596e77a9141134b42abad058789
SHA256 b61deaff924d0bc9b868ff6a4eac8accd5004b85a9b95e70ccc8e1db6a144591
SHA512 1620b1b7667d844c46a2316d21b21b77f5117231170219ebd582a2e5e8adc8dcab20ce2549e9409e3bce849187d1184f33f3029f253048eccf2dbb8b10a74fc5

C:\Users\Admin\AppData\Local\Temp\GAYC.exe

MD5 3f96d108c35220a06ee8e92eb145f57f
SHA1 7775a3e8c4ec4e48435e37faa38ad9be20f48a82
SHA256 491778ce820c5912650b5d6d8546f6434cd6f4f647aa13cfee7a18a6d972895b
SHA512 b6688b01437b2744fa3832adbcf44db3faaffce8e752b5b5ce94d2dabe4b8f737ceb61433ca0aa453df34ee41b4bcd442b29462885c8f211159b8b4fec24d8a9

C:\Users\Admin\AppData\Local\Temp\UIgE.exe

MD5 d36c0a41ac78c0857202ab7ea274ef1b
SHA1 6a0af6e9beda6c0e84073e0bf2c9eb2b7a41e36b
SHA256 d33d97606b8ddca6aac5f3fdcaf58239758df7c415cc620372d4c5812aaa7777
SHA512 c9d10b22d56fc59317c856eab7f14159610910ffb686652c205fef1aa741f65c849e619ece14d37c786035162b1b79a1d6beeb9a5e79567b63403e7001bc120b

C:\Users\Admin\AppData\Local\Temp\YcMy.exe

MD5 407d25b7560e3a9331a54ca048265102
SHA1 e26c447bac115d363dd7bcd5d4ff47d49da1ff61
SHA256 d24d6edcff783f17ebe61798c01b4fadd1eb5a690bf390cd51c8ca2db74905b5
SHA512 9a1ac9eb8c6f57272316e8e1787206fa0fcc4f90bbd9d9fd72773017f524a8f2995ebc6e40ace2dda55a87d6e0754a2f983ebabbe612ec7d785841f1bc24bc8a

C:\Users\Admin\AppData\Local\Temp\OgAc.exe

MD5 a1dbca004f6dd075b0381618fbb6239d
SHA1 b289bbc02ae18606240711d341550778425b2163
SHA256 bc23c00f7b9f6055f631032032786618b9baae81a5a947cf118f2917b93db16a
SHA512 183efc4c6a058169b18f1b53ba79a641dd9d0539977a06b8c71fe67e39af3783637ccd3cf5ee33f410ec4f187f2afcd7d126dd2499e2f8d77d4c015bdb49ba3d

C:\Users\Admin\AppData\Local\Temp\GAES.exe

MD5 79f075d779445c7be771b6ea97f5ce6c
SHA1 7453aa422bdf35718277c0e40e6fb59529264c53
SHA256 3832d2779d3c1e6e89011210fb0c840f45a940f97c1c964c48ace97b4ef95510
SHA512 22a43ced97e2a37e8841d2d9ddee89e85fdfe53b288d72566b5f5f9dccfd638a3a1a9f322d60e618783b8003e0a73dad41a90d60a71d76a39033bd4455d96fd6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 9e15e713dee56dee5be853ef127c2fcb
SHA1 9489c56c4c00388f2a19598c25b2453fb134e005
SHA256 c0015a556bfd844167230f13eb87cd0e0542eeaf402f38371d772bfab2d67f13
SHA512 a57bc5cbed9c59f2e5eb05e9202be694233890898b3726184eec46e751221885106f4f841436b70cd203b7c5c4ecef68a5fe5633474c4d10f420c25418226ed8

C:\Users\Admin\AppData\Local\Temp\gwsa.exe

MD5 434168545ff494fa1ec7d826a6424811
SHA1 862badced4ce29f476157f76de6c1dce1f740f33
SHA256 03148b3ff805529a865bc72f358c08246deca10109991a0ed35850850a91b53b
SHA512 81ded654a7729c0c36143bb205e3927c50f0426189c77b95c51c81fa238ac39cce5ad43ad4cdf84751ab77fa156d999f75853eaadace23292b3cc438de1f2922

C:\Users\Admin\AppData\Local\Temp\OEgI.exe

MD5 cda6b03c91f00818117ea452baa8f884
SHA1 e9591bcf2e6c146fc8ab042750b467e27616f351
SHA256 5e407d8a8cd44a22b4acb68c54159012b54bf2a21121897f7fc31e070f672d1f
SHA512 4317cb3baaf454e4659a05d451cdd5e7c5ff38b6ef5cf32aeaaa1eff56677299acf3f00deb0261a5aa501c8a7533b730f7ecf5a75b20200b28cfa7bc486e5db7

C:\Users\Admin\AppData\Local\Temp\soYI.exe

MD5 fa6054247662882dce8a899efb598bd0
SHA1 465315db5eb7a17328d094f07ac4081f2c1054ce
SHA256 973ee5f136f8d217ef7d262401f6ded1dc457a808147243bc7494b7d81ab4a2a
SHA512 3de448944ccd7d9575beb8ec7a7cb5d228dc4a29a03bed7fd6d4d7e5b9670caed74e83709d07d240f26b09bd2d70c4e251333269aa18ae210d3ec20629da7ca5

C:\Users\Admin\AppData\Local\Temp\UEgy.exe

MD5 3c6b4aeb8b85b561a9bc055aa3f3047b
SHA1 675761b395f8ed40b6755447da4996427417854d
SHA256 cd1351b2435bfb16c224f21aa8d0e1701f477fd4b33266c1ae7e4ddb9879c8fe
SHA512 89757a6e6e071295afbff376291cc14af911e9df55795fc192e0c83fdb544e79a0b2fd1d469c78511b02b3ef8c61897b3ae7b9f323e4fc6e0d74009c8bcc0f23

C:\Users\Admin\AppData\Local\Temp\qAcu.exe

MD5 09ec1d385846478f7819ec7d0e0da643
SHA1 0b01f4f81fc8fe832f2c0fc0e4569360480467f5
SHA256 90993b98d3b91e9151952d06c2f7c36bfc73794d9301ae7a292540ba561ea433
SHA512 dfc78f92a6d4328bb403be490f9911162e695178cada28f4b8689155d46fc14da44f6780ad07c258e91c808d545b1f87d01561373bf57a0ad6240c34fbcadd9d

C:\Users\Admin\AppData\Local\Temp\UMAY.exe

MD5 c6ddc7902073169cef82958e8ca2b77c
SHA1 240c40c4ae9020c5e7e2ae2b374fee435ff9f398
SHA256 e87f9e798ca706f8a47059526637b364ed4d638e89a395a9fbaac2d426dc54b1
SHA512 6cb955d18a86ad3d83fd74109560b0c54abd7ab40fec408e480b975584b4d2f2d4cf5575ba27fffece109ea3253782b93966b08545095348e6960e2b987e9ce1

C:\Users\Admin\AppData\Local\Temp\WgUW.exe

MD5 22c4040cfadd700cae395d184d80c70b
SHA1 797bc9628f87e03ea7094543a3272c947ee06135
SHA256 badfa8f2b692b5b9d734d3dab2494acc406aa496974b1fdb2be465a3d66d05c2
SHA512 3ebf9c85a05076448bb4a420c2b0eef76a41e952ed46b56a413874d2a58cf1f19af414f1e19877616dee0b7cc4aed24b52acb364657abdb7474cead7ab8c40ef

C:\Users\Admin\AppData\Local\Temp\QcIg.exe

MD5 7d7ae86153b1058774afad161d025a0a
SHA1 c1a756c4115fd8e19586067598b3d4bc62a003b5
SHA256 44bb9bf98ad795cb90776234f6480aa15b6f45e5de89aacea07076f3edf40d51
SHA512 813788a5317e65a855a86ab766b46279abebf9943986af950e3c21aaabff8068cee5308a5f95dc643469c434f01afc6818ce2cf6f15585bbe8fbb85f145ad51a

C:\Users\Admin\AppData\Local\Temp\wIsG.exe

MD5 18d6583b253679c9c20c9436b07a4b37
SHA1 31de53ca16b7b0a18384d28301f8339a766edf4e
SHA256 3bba8b04bc27a4e4934182374ca670836cbd10f09887f796a1ea62e5a5a45e50
SHA512 35bc6cfec1dea11e11bb388f80d29d5a1361d1221a65865d8dfb66de6cd7cd466b06d572bdb9ebd0b9debaeb57cdf9c8e682aa19e2ed7137af0d5c54f85a44eb

C:\Users\Admin\AppData\Local\Temp\MkIk.exe

MD5 9164a3cab6fb893edd3646b5bbaf2f0b
SHA1 a7929d85edbf770ffb65dab6a5f753e4cddb85ba
SHA256 3c11497a0d921b65979dae9fef48a8fa62d3a350cc345844a491d2c68a80cf0e
SHA512 51b2c4c9f0395966f9399832f1548d3be4c916265d1004506d3e90ee5527adf315d4744e59e624d265bdfe0efeb258f5a19b0ea66a573ccc80030a91024bdb3f

C:\Users\Admin\AppData\Local\Temp\WUku.exe

MD5 f0c79c542ff2dcbf27303ef0202f831c
SHA1 326931db49050ca0b48283d49f179924914a8a2a
SHA256 3a90fe57dc078fb0fd145110a30936004fa759a581c231fec88da146d5c59ac8
SHA512 f06d78327978c18c54343118cf9abc84b2fb9fa91fe9394c2b57e2e64fd1f5e3178681d98e75255f332c94707ca7f7620652ecdecb2488844f69fa544c27a482

C:\Users\Admin\AppData\Local\Temp\cosI.exe

MD5 ee69f3b4db8e33919cac97168e7d00dd
SHA1 c34e0440702b5c4f1a97c0198d686872a69c943d
SHA256 3a1003c1a51bfb818fdb7ed2c27089c8cffa4d2d708b396faab2836e7cb10483
SHA512 522573be8afa8e930f772765cf4c71e983f6438bad7fd55c13067359d14bb99ed7b308c2978f23f5d56d3f36f41a53368e66b9fc679c9f19532fc1344212f4e2

C:\Users\Admin\AppData\Local\Temp\cEUa.exe

MD5 8d92286ef25933fd924b2daf4675b35c
SHA1 0c6a6abae0ab69545e10da51ced55234147e2d86
SHA256 4467bb505081d9a417ccc785270dab13281195b48e85af8ca99e6b13b8c61a85
SHA512 d3f9f6d5e1a0264e3fc020d26ddcca90dcc6d9687e08dfcf06277c3628bde3fa24ab3e050b4056e2c41e745fa7114f93ea1111db7263852edae556ec0821bf3e

C:\Users\Admin\AppData\Local\Temp\mokG.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\ywYU.exe

MD5 c77e7ee97f424914c63841717d06d5fa
SHA1 2fde26e913a6ea40c47c2bf38abe907177146f68
SHA256 99d577ad040068fcf2e3b8006d8f2def2e4c30d8622fcc346649cefac9b1ac66
SHA512 43fbc2cf8e5ef4070938e7aa64ef753cedcdf2670985ec50a8b043c6d4cd8080fb64c3bbfc5e705fc17e2cf7ca403f15d0f19b8f65104920122c9bae673a033f

C:\Users\Admin\AppData\Local\Temp\kYUs.exe

MD5 267bb95081adcdc42b032d7ff791c17d
SHA1 f5e4101280bca9fe9b19c17a2a8bcbb7d3837a32
SHA256 5263fd8516a95c6e328fd4eae8d301148bd9b7f50872733cffbddca74382f392
SHA512 7e5863fad01c7b375cd8d1837e8b03367aa1637f2db8fe8583f69459e0f917b055f4365a4a654816fb07cb291cc5c81cd4721fef0e959543dd002b61dde2952f

C:\Users\Admin\AppData\Local\Temp\Iswi.exe

MD5 a08a5e14ea75387c3a655312f19cc3db
SHA1 4cc022e9351ce47f23027352f432583e729ea14b
SHA256 ae61cfaad0cd1af2107cea6f7f74eb7c3199d5cc32745a31e290a177c7b78903
SHA512 1cc824de5b3b1a472c0c14e288cb382b9b3da1ac6e3b4310d862c4b6e6d41cde468115f707d2755967b2c24b2dc4aa649e7d06236001be42a3e627b56bc6a26b

C:\Users\Admin\AppData\Local\Temp\kEca.exe

MD5 a0bde9f9867f99c922c94895f1c4fd43
SHA1 eae2b403a2321474609e8e5100696e2c87e6c1e2
SHA256 6b528a9d1237b3d666d6e28742fb3d179a9a2ad6787db3b6a40975e34de569e7
SHA512 9aab07b73120148c0f0d0cd4d7405bbf45a517d3528b3fede9cc64ce5ec1faf5fbcde202995d4e7d0f3335239fd761af746f983adb9a3e504c1297e18d54dd04

C:\Users\Admin\AppData\Local\Temp\QMco.exe

MD5 fe80ad583362af6904491045e824321b
SHA1 fdcece264948e15e1f6e34a7446c5146b7cc6299
SHA256 c17cd4aa4233f5aae549bbe8e9b55230bb5e304e257a2c2afca8c518f24ab6b0
SHA512 96f85f478f00913d9a5464702b529f5a0c3d1f54b61031d279cbe379a6c15610389b5ca6ca79b3fdfff1c9e50bef011eb38762c7564dbdc502c69761e952b4b8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 173e7ba20fea7baad9579f16df4ba5f3
SHA1 c38caf438b0054411ef512b883e7a567ba78a81d
SHA256 74e5cf6757f7d8fa0dd55f546054843c9767b11e6b2cdca589e6cf6455773097
SHA512 ff2e7dfe9c55dbd7a7f9a5ee07ecea1b81b64b549a353173703e63dc420c999c33872e9cfff488ede2fe2e5353e755ca163c11d389626d5f7ca54565507b8357

C:\Users\Admin\AppData\Local\Temp\KIMY.exe

MD5 051272c34b83567daf74a2c752067e91
SHA1 a82faa1f2a886b9b1691eba91410b9070c0808e1
SHA256 49ce4e5391b7ad89a3c5ca3aacc14b7570083fbc34af1aee0f86c5769ed49435
SHA512 9b66ac7f7f7872d73b9a2b28c20944afb229d91294cdd75fbfc7df0cd3d8725e52497012fb46fb09dc293209987f0a1a788152c933f074cedc295d382289f95f

C:\Users\Admin\AppData\Local\Temp\kQAC.exe

MD5 e484a7797b60fd37d5f9f5761b41d2ed
SHA1 3366a98093e00701380a3f6d98409f3c7e40f71c
SHA256 d3d342b1224ad93af5ae3413be4b74fb97abd895b973d5bef28583ec9aafb119
SHA512 ab7d3ee128c02b67fc98734b4f70391e91a27f38e03a1614f8058b4e7e22c55c1b407c6a524ab80554e22cc1ea9e109f786c30a3e2346fd33d5bfcb2941b24d6

C:\Users\Admin\AppData\Local\Temp\EIMg.exe

MD5 e1045c0c5116676e1cec2074fb9613e5
SHA1 33deb9ee5d87ec6699a56d6ba1967efa6b809990
SHA256 439bcb39b038c2b2bb793bc8abdfd6699330711de2821163081d66d48b7f5f06
SHA512 306aed5b1ac46aed955fb04662962d72a1cea4fb81aee678e675a4c5b764e6d61486c39a062ae238b62396df3505f6084de9e3f62446077d640d7a32c68a9e30

C:\Users\Admin\AppData\Local\Temp\Msko.exe

MD5 e85b0d374335a0de74c62cabc2861cc7
SHA1 a7e1210c1c2caebc2a8d6401b3f99eb22de322a2
SHA256 d09b55eaaf807406add17fbb1b64fccbd0429bc77c02b718d087ba115386ba20
SHA512 d004c64362d24c8a6b35d0a8edefa2433495b16f89abfead1393cfe0b9a917b5035bc7e5fee2a434c26ad2d98e5285d1b5cd66fb90fe884037dba381e65fa805

C:\Users\Admin\AppData\Local\Temp\Awso.exe

MD5 60b274debdda61b5eb59218f6a3cb8f4
SHA1 65af9d8c0e78dce0a238834083f008c0d82a78ad
SHA256 856ded8aadd739242bfcb044ed42c43fc788f7d08fcff11f0761a047e6b3d0b7
SHA512 ba3d682bd5e36675f008da69808ef3cc1bd64e8e8c0719acf3a84533826f875f40c764a31eabd150c968149c753840f5d51421076fed7f314cba3f89dfd53639

C:\Users\Admin\AppData\Local\Temp\mgUs.exe

MD5 42cb1b263a85520b47a04a3aae477c7f
SHA1 2738cb3cd75686a1f1cf13f14d5cfddc68923344
SHA256 a45f6468ac56e7f412a2894aecea0474b48b50c05f8c1df019a567fef85789d6
SHA512 34971f44ca97d55dc3ac1ae4bbb4dbf7cc4a654d4074daccd7877f0d25f45bcb7f998861cbc5a8fa2c33a174785a2fb22ebce0a342fc6052eab44bdb59a2b6be

C:\Users\Admin\AppData\Local\Temp\isQU.exe

MD5 8107dd93df24714b5d1411cdf698bd00
SHA1 aa440db8394274fd81d669cd046f8637f1a8fbf5
SHA256 0cbafa2d3e577d641c0548b2733c2956dc631a12bba525a67048f8bcf74508f7
SHA512 73c04d576d1d6c7fb48ea1be91e14ab36e745842fb169cbc5770c05dc3b67523f35ab7b664cd8a9ca393e3269ecab250bb96d532c7bd40459e391eac36d7beaa

C:\Users\Admin\AppData\Local\Temp\MwQY.exe

MD5 f3e93bb75b4f4cdea6be1e2648ef4ca4
SHA1 42840bd25a5a1f6ac9aaeaf8c801bfc4e2a76df9
SHA256 296232d50302b4ed6e4e0c968602093a0f62adc65abf20bc57119095e980b29e
SHA512 e3f77fc35e4ef9bb90ca63d169aee0c9748dee772cdf6bf95ab6c8812091e46d42141594caeabfd81e7770b9e6d4ec4f1ed6320fa914dee08962a67a9d8a98c4

C:\Users\Admin\AppData\Local\Temp\igMY.exe

MD5 946e19191d34aa270e4da2db5ef64b3a
SHA1 6070ee907e2dd1cea8cbc614d360c50f2aec5d3a
SHA256 bb29c584e5673f18d54fe5614beebc332921801c8e1081c79db0f46056dbef3e
SHA512 6174082948792500070ceb326170dc4457b0a48d860db18ca6ff0a262c90bd3e7081ac9570c98ad3510af95c61bb4a4cea349e8819039c981b93c298dab7cf47

C:\Users\Admin\AppData\Local\Temp\Wggo.exe

MD5 cf297090f7eb3561f8156df713026630
SHA1 6ecdc261f99eda2a4e338619b79bfc64a1d771cb
SHA256 805b15bbb0c65364316907a538d47a8a89de993442d50d6cd6068f46266cd680
SHA512 0b216708cb75db40a621572de0dcb9f95c85b559b479ea0c2110dbbdef64e8179de6d499d9d40060106b7f1cfa9d225ccf5e995cccbf203c6040e044787bbc0a

C:\Users\Admin\AppData\Local\Temp\cYEk.exe

MD5 71c8fff096ba035810ed6cbf9dfcd5b5
SHA1 c6ecb09267bdc952c07d64a487072f625d348d5c
SHA256 aa2bd75501ff33c165d916d282d1b11a55d034f0fee8cfee6816cc5fea88ab86
SHA512 82a91efef5a4aa46d6911f063f60fb88b120941f19aa072ec58b24e3d40fba0edd667061cd3af3b6664e7ff9f2371a8bc2cc59898897f32557099e16fdf36281

C:\Users\Admin\AppData\Local\Temp\ugQk.exe

MD5 eb86a83261086347c8e47007f06d4c85
SHA1 c01f891e0726f271b83254025c4dbfe7a34035c0
SHA256 44f88185cbe67167a997e6993db156fa763d54be07108e449909a5ecbb668030
SHA512 878b0ed1af70849f6efb306c65aa92ac9092023a86cbd87ef8cc4d9f3c345cfcb36beff6b0408c904d91d354edc448301070380f6e5c50824bcbbfae90fac720

C:\Users\Admin\AppData\Local\Temp\AAUI.exe

MD5 0d0db49fd82910414929fae11efeb23b
SHA1 7d124b047328993a1541acab427fa75b64ec129c
SHA256 0592aae534e7fec884289d68d3f64d4f546e3f60299881c38d3c17162877003c
SHA512 737eca4236307481e4f0bea97007099d50dd3cfaff91c6b3457547d8b1e792ae5cabb1c491a01b293a1d4ff4b4c50ae2ae1cc76ad065addcdf78618d48ac903d

C:\Users\Admin\AppData\Local\Temp\mQAg.exe

MD5 e9b3514d5c36b724497d7d18c5c610b5
SHA1 26cefe41184a4933c0b5f4b0f26053563d535b46
SHA256 018e8735e15e97afddc12cbcb1601664e24fe5446d958c165cf7fe3700d64a09
SHA512 045dc0127f9817cbe55c36ab1e0c50370dd2ce3b7b55582e4dd861c224cf3f1f73e53187fd7c97416884e91befcbe8307abde92a7f6a60c21f7976a9f53cecd1

C:\Users\Admin\AppData\Local\Temp\esAE.exe

MD5 b828d4eba6ae2398b01e956fddaa6d12
SHA1 fcfb2dfe38cef4e62a2b06b8782529207394ea93
SHA256 efc03c8423152fa229dd3409ec8bc4a6ee343a1585b1f57afc9dcd7bccc0e547
SHA512 78650e86d3654e67da17d81d018cf55ba87315e4f5326844d67384f9fdcae4cadde8901f3c8e2281f249de83658167a699ff55b2bf913a2ecd43a5b090a55d54

C:\Users\Admin\AppData\Local\Temp\UUQY.exe

MD5 1452d3f0a6b18b1e9d3abf6e831389fb
SHA1 0c0cce70aeb5c4cc680415777fcc94df29bd3116
SHA256 59d14e9436505154cb23a18617161cb8891226afda9421665552e79f39fcd777
SHA512 4f2a0e683da31deb47fb97182f8c4d4c5afda3097ab829696a4c9d020c9db8e3da318d0358ab7c499d38c86751b7c16b266d4b08d12ff98a47ca0a3bb1c32261

C:\Users\Admin\AppData\Local\Temp\WksA.exe

MD5 ff13a449069d18f4026fad7922e4384a
SHA1 99fa3999a0390d5001be1f6ee598d756f10a8f62
SHA256 6df0f24d10b30049d4df5364d11b3bde4aa1fb5e38f6fea6ff011ae6f8bf81c7
SHA512 2913d2d570f7c3b95bd97683a0471313b9c4c0017539c75df9b4008f9a1987fbf7674491702d6e225cf0ad92df394b5f8c98352dab5c4d96791f3698a00661c7

C:\Users\Admin\AppData\Local\Temp\WUgi.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\UAoI.exe

MD5 27c2cc52ff3212e8594944c93a880876
SHA1 3cfbd385202c63cbb76ae773b198902de2c9f72a
SHA256 b54856dd982182d38cf53864ca9bb5281bc38ea0dda3f0d59163d50aff4d8f34
SHA512 e816ddd0b1aec0797fa0cbbeced5b7149a053498360ee4b2be143ee9993cf52581c9ea7c4492a17bce4272b799001f19988a30f76d0d49537d5673f90ce0aa6d

C:\Users\Admin\AppData\Local\Temp\yQAE.exe

MD5 e19eeb5047740060ec8304ee3ea25f31
SHA1 5332cdbdeccad5a1acc91fb07c5201990afd9e7b
SHA256 ff64228aaa779938b199a8db2ea4dbe39c9fdd84b619029d5ee793d70489254e
SHA512 b021eea560d149f7c6c9796216df9b5d4ec0485d05eafb4f9c669b96cb9deb19a253ee1e4b69541c3090aa9625c930e448c7bee5de53e53511585ba9696038ac

C:\Users\Admin\AppData\Local\Temp\qcgA.exe

MD5 d3faf98eb3a10f9edfe869bdf0765a25
SHA1 12aa51717347ca9a033ec66305a11875a7a7d519
SHA256 00fc0de016bb29adacd8982f287f37120e165be366c4f83ce16052426699fb75
SHA512 51d93f37e986de0e3804c70c0ec3f513eaf5f7554c8c03b7882847434f22011e074456c3401c3276848edb49206404b22bd187f0432e58231b02777ccff81e5a

C:\Users\Admin\AppData\Local\Temp\oIog.exe

MD5 7c23e3397b2e5c997b398b5748499b84
SHA1 cffc4a60eb917673e071bed9d3cc398cc75b9df2
SHA256 70c481c5f2c100687a5f00086420403efb30acbfdb592cb1f2e66c419d4b1d7c
SHA512 cb60410225eeca1f301bd7f7e5e44192b2eb5b2009213886fa1732ee976c762c800191087052b8ec44a319d75d9f8b2a0e022ac7e2eefac98a3c334be83a8969

C:\Users\Admin\AppData\Local\Temp\wIEa.exe

MD5 ac070c155dd9edb110997fb5d957a3bf
SHA1 d478276aca1f589deba2450feeab19b90eb5eed8
SHA256 3c365a5047ba2ec01e4b4f166ff0ebad73ef00598719f3a98f8387ea4941eed1
SHA512 e5a19b2a002453c14b5cf174c34ecfd9d4653a4403406f0ae91be98c3c31ab7d5d1b71fd6f2861948daaa9db9a8582abe7a543786ee0b391276ef43a0dcee103

C:\Users\Admin\AppData\Local\Temp\skYi.exe

MD5 8f642d89d9cbc67e286dea97bbe7e29f
SHA1 a54ad4f95914e841248c43e59b7de452995b92c2
SHA256 54cbd21d8fe35e4e622d89e99701071b929c24bc5e70c86d09b4a7fa0d936f1e
SHA512 f16440a8053034f2611d3ed8053d89ab1405335dd4e894e6832867405b54ae4ab183a6cf952409f9cb7d6115dff9e03b558aedbdf5364de90cc2384c18187729

C:\Users\Admin\AppData\Local\Temp\MgUw.exe

MD5 c97616c2403364ffb5c50c70917af973
SHA1 33c3eb5285920b32aa1ea70eda7c94aababef5cc
SHA256 787b9d493c689f116c0b7e72f478623989a05645966c94ceaa6033ae23aaf396
SHA512 c7ac8ed000e34e8abf81228b145bea38b4569cce160f647da3d3731ab92e4d6ccc1d937f587352ce4496657ab2015c8737f7c50bee11c2e85e38a7371dc09f82

C:\Users\Admin\AppData\Local\Temp\oowK.exe

MD5 970da3f87cee2a737fb37670eb19dfc9
SHA1 a34716a81399eb60afab6e786747145a49954e19
SHA256 0eb4fc1d4bb3e6c8c5a3afac347aa25189a4cccbf3d7068bf6bbd8357eb03231
SHA512 ca4fadef91623fb740706e289b165de5ebc8ab4dccaad022ad1616e98bd93b6bb9c23a75f8682878600a994310f3eac5f7263c693ccf5d10b3119de17a9160d6

C:\Users\Admin\Music\ConvertToStart.gif.exe

MD5 0548c43f1d038efd02d8b77cb8dbd2b0
SHA1 b31c8133f1655376ccb11d71af7fcea67afa1a5b
SHA256 7f8ec1f7a683c59dca0ef8358eac2071e856da59aeac34ccd565116a3172cafc
SHA512 9453927f933cf15bd75ddc00e09be81ab3546cd12495ce19d6be08d4b87a1977bbc4806bb635e2478c83c706cb76d90cbdd620ad8ed2be1d520353fcdf0d3e10

C:\Users\Admin\AppData\Local\Temp\YEAu.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\gwIM.exe

MD5 c6e122ad822c9d0836277aad3f9397f1
SHA1 5a3fa0c321850bda1942a15038f9c1650c4821ac
SHA256 37d6410ddb79672b45a9f16dd0ab09aa93f1dabdd8d18106684fe008ccdb75a1
SHA512 7ad921b4f4b32865b914deaf64fbaf6a4eef9ac140c2b46c010fc7b6e1cacaa919b671df7ff68e4462ed35428f42025bac7a32af0822cc427256546b1b583e46

C:\Users\Admin\AppData\Local\Temp\AoQE.exe

MD5 8c5b5da7f2693e2163a977e978a45e78
SHA1 19add1cd9f59a2f426d48492d2ecaff6554e5c0a
SHA256 840f8b183ff07a32671344fc81255e27b42bbc773486d9cfcad4885fa81fffb6
SHA512 baa446635cb56208ff2159c5097e9b964d0cab322459a3be3995d342a454eb370e1c57c11979715ec7c4e5ec202979229ed238cc9fb23431558f01e9a961968f

C:\Users\Admin\AppData\Local\Temp\osAS.exe

MD5 1bd613be33323e8494962b5394237247
SHA1 c4e6c08fd7e8b34f73a88c83e53246751eebcc79
SHA256 9793589c1b3106b60cdd93cf1614e198ae291eb80510b055f5573c46b5d49911
SHA512 a28012b37a4f74782b97322e6c7da60eab1c0b2e22e7ddcfa11ee12136bc37b5984f2405818e80159d252213360b3d85bfd6fb125184ff8ddbded03552697a1b

C:\Users\Admin\AppData\Local\Temp\uMkU.exe

MD5 23691f1ccccf2bf41f8e36a299bbdf34
SHA1 caca49ba10e42b2bd27760adc454d69451cce13f
SHA256 145594c773a3191f5f6acd770b8ae1839cf9c450830cbc54526dcd869337a8df
SHA512 1cd60da8656c190ab30db5037f0440aa41e9c0c88d3140a7555cf9e4c3147d54a6b94355c50240a9e47b0709740bba4c61013e0e1b19fb7c016f4d4760bcbe73

C:\Users\Admin\Pictures\GetMove.gif.exe

MD5 f3a3c9a8915c0228c5d2a077130756dd
SHA1 2e642c73b5f25f70c7d594803b23c8b7ec3b2ce9
SHA256 0696bfc46d258952d3d72ef865d3ca624792d6f838396419399b2d1ed020b911
SHA512 1ccf18dec14c55ed3adba0a090e414aeff33fe54a442cf40ba7e1bdbb790fe524dc9bf8bad8e51603bba77c845e9f34bd52dc27d62f59b793f9b6ae19cbc4ab2

C:\Users\Admin\AppData\Local\Temp\akoi.exe

MD5 c1226e68cf6929f83a062bc04107c291
SHA1 8d5957d8d4931be622e0df7b701405b38e0eda30
SHA256 7156a62f3cc7f5e38cd5dccf070236bb5149d05ce7827b93678ba43b497cda58
SHA512 7b734f2ae3d58cb1f29f5cb5f1efb8366465b87b4e32cbb559baaf4e563451b046841403076c19841fe2a9d6811cee6ccc63bceac1e16a33d07edcda8f2fba32

C:\Users\Admin\AppData\Local\Temp\MwUi.exe

MD5 f4e3def4094256e4a6a99095645f6cd2
SHA1 4d7eeb1e2c6a15d3b465510b6270ab0282916712
SHA256 ce36154aa72f51eeb90548a4ac556d6aa956e01879cbe3fc3b2bb73c8ecc2606
SHA512 55fd021a1fd99e885b4fc9d37dc23134e24a4ac579352e006a3a1c6d3e08458a6fd9f935731e01b74943af1db7f8abcde61db68f1b33eaa87c49b85badb679e5

C:\Users\Admin\AppData\Local\Temp\kUMI.exe

MD5 86f4b17695dfefb979dcb44132f2355b
SHA1 a789b050810eeb78cc3bfb056683b80610d24870
SHA256 85c40c62d400ea3bd13eff664316d58b3486f32ee649165139f16c49ec444abd
SHA512 e460ea98b2e86fea94c7199a5c6d2d140a2e33582984fac867fc1b2a1dbb39f7ccd82ca2897b574adf581d47b88f889cb4b17e31ae19c0df9bfc6d979901c04b

C:\Users\Admin\AppData\Local\Temp\MwwA.exe

MD5 05c92c974ab44d79f2f49e144a0c8ba6
SHA1 08c76a6b252086ce9c201c70c787e263cb4c976f
SHA256 ec24b2082e873cebff072b80e4da695869edf437fcc183aae6b0d7fa37d367e6
SHA512 1d7b2aa9119572c61943326a865942ff528e961782d49a8570e1d9dbd9ae571f3fd72224b860ae401202fa08a12011c781cfc2aa8edc0d0f6942213607c80b25

C:\Users\Admin\AppData\Local\Temp\ggwa.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\Pictures\UnblockWrite.bmp.exe

MD5 218a06bc0ca0978667e65d61281ae58f
SHA1 7fb31cebfa5de2be325835414f80c58302d1a797
SHA256 197bacee55dc519889d1954d7c679c31af3058f66f5cbee9e0563e44bf60ac5a
SHA512 b69faa0d11616e1035b0c372007fef72c8b7a62451cf4cf00c2d089d9e229228ad78e7a26a0c491570c5fae1d2174e18c9ceaf0f197e27669d83fe25a68ec434

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 77d9bbd072371db2a4ab1e7219c12803
SHA1 3ae68d0f68dd4adb3cf86b5a89b2e72837079d33
SHA256 e2df439ec4b3891c3c24c029c091a981971cbabcaf10a6036190526267c095a6
SHA512 927bff2b3ed14e21c9f2c6b0f842f46a0e74b6ddf2e4d602e0aeee2d7e041a3dc4a2917aa03d402f36a0bc7ad04b2dede04883d81d7fa2eeb19a32331b661fef

C:\Users\Admin\AppData\Local\Temp\uMwK.exe

MD5 25b3d879874e4664c378dedf04c6553a
SHA1 fc2ac66e2a340d64c2fd788519c1cda0204aa036
SHA256 cf23a3d90e5977ff5fec9af95d089edad3a263ecc80f3ca21838672c96a41d45
SHA512 4774088436102807b7f2fea57c7b3b20bd4a28c8dd43cb808f3c28720a01b60759d6725f6ff02ff3a7e090123203b085542aea34b626b952c9eeb94b1fcf53c1

C:\Users\Admin\AppData\Local\Temp\IsAg.exe

MD5 da932720c29ab822bade82d51813e5ed
SHA1 52baadd2141b54a841d94b0d6e907a5ab1c794da
SHA256 9e2687a799cd4d6b64f0e8d84951863f601f7d1190ef909524d77bfd1ba40a02
SHA512 b53e228717f1fdab73b87aea21c30af73b1ecc71e65394d512e2d8d354c2532d79836c26815fc4c2f1af0b7471af7969bca5fd2c8b87818b03e8ad31ebe8deca

C:\Users\Admin\AppData\Local\Temp\yIsC.exe

MD5 f81f393344f4fa2139bc635177e26cd7
SHA1 90a5e1adcbc8ed6840c2bcacc761e1013dd9e1e2
SHA256 9f16f8196be28f7a6be0fdb3c0237b98496abca666a55f2eedfb89d465b13173
SHA512 6382e00f135a633649aa648efeb29f32411e1e7e5d2dd8d6b79473b8c0b8da80d7066f5a04f95e64e848d5301ee1224fbdd61a5a0e4b6f9b4e99677d6e3f8454

C:\Users\Admin\AppData\Local\Temp\mwwQ.exe

MD5 c7e96f44695c3bcae474ef51cf1e5fd1
SHA1 a50f2e95f76929d449f24eee4ca9ac3a84995bc6
SHA256 6c89d8120d904946a4e3b9bed16b06b2626c649323c033ea31f6d6a43fabea72
SHA512 69dfaf431287229f16d531ee4d225b8bda5670b02d4222d7ec4c551d2875ae4e0080832ee3003b4e1f05aa299b0cd257b90434a1b0b23a246f87077f40bae8cd

C:\Users\Admin\AppData\Local\Temp\icgA.exe

MD5 64b7432045b290b4fb468a745a739f47
SHA1 48485efa52d32609ed4322b8168444318c4afaf8
SHA256 331f58443ec64d7c5aec5341ac61d7957763b9c8b4df13532244b3f5b378c1f5
SHA512 8cc64736d7e57f0f5e48e79a50601875a160666267c2a82f622569d846c38d02769128db9506d6907fdbbccab9b8b6a7d7c3c07b15f306a1bb0dffc004dcda8b