Malware Analysis Report

2025-08-10 20:48

Sample ID 250502-hzlnlsyxat
Target 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock
SHA256 982b7174957c0375d66d2ba68c5698bf0852110def13aa2889a6caa68563e55a
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

982b7174957c0375d66d2ba68c5698bf0852110def13aa2889a6caa68563e55a

Threat Level: Known bad

The file 2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (91) files with added filename extension

Renames multiple (86) files with added filename extension

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-02 07:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-02 07:10

Reported

2025-05-02 07:13

Platform

win10v2004-20250410-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A

Renames multiple (91) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\ProgramData\QegYUEAc\iooIkMUQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\RUUEsQEw\wAEgYMso.exe N/A
N/A N/A C:\ProgramData\QegYUEAc\iooIkMUQ.exe N/A
N/A N/A C:\Users\Admin\RUUEsQEw\wAEgYMso.exe N/A
N/A N/A C:\ProgramData\QegYUEAc\iooIkMUQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iooIkMUQ.exe = "C:\\ProgramData\\QegYUEAc\\iooIkMUQ.exe" C:\ProgramData\QegYUEAc\iooIkMUQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wAEgYMso.exe = "C:\\Users\\Admin\\RUUEsQEw\\wAEgYMso.exe" C:\Users\Admin\RUUEsQEw\wAEgYMso.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wAEgYMso.exe = "C:\\Users\\Admin\\RUUEsQEw\\wAEgYMso.exe" C:\Users\Admin\RUUEsQEw\wAEgYMso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iooIkMUQ.exe = "C:\\ProgramData\\QegYUEAc\\iooIkMUQ.exe" C:\ProgramData\QegYUEAc\iooIkMUQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oQEwsUkw.exe = "C:\\Users\\Admin\\dukEgMAk\\oQEwsUkw.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WOMwMEMs.exe = "C:\\ProgramData\\scYsoIYk\\WOMwMEMs.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wAEgYMso.exe = "C:\\Users\\Admin\\RUUEsQEw\\wAEgYMso.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iooIkMUQ.exe = "C:\\ProgramData\\QegYUEAc\\iooIkMUQ.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\QegYUEAc\iooIkMUQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\QegYUEAc\iooIkMUQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5248 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\RUUEsQEw\wAEgYMso.exe
PID 5248 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\RUUEsQEw\wAEgYMso.exe
PID 5248 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\RUUEsQEw\wAEgYMso.exe
PID 5248 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\QegYUEAc\iooIkMUQ.exe
PID 5248 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\QegYUEAc\iooIkMUQ.exe
PID 5248 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\QegYUEAc\iooIkMUQ.exe
PID 5248 wrote to memory of 6000 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5248 wrote to memory of 6000 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5248 wrote to memory of 6000 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5248 wrote to memory of 6016 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5248 wrote to memory of 6016 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5248 wrote to memory of 6016 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5248 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5248 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5248 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5248 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5248 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5248 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5248 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5248 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5248 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 6000 wrote to memory of 5408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 6000 wrote to memory of 5408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 6000 wrote to memory of 5408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 5360 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\RUUEsQEw\wAEgYMso.exe
PID 5360 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\RUUEsQEw\wAEgYMso.exe
PID 5360 wrote to memory of 5080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\RUUEsQEw\wAEgYMso.exe
PID 5408 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5408 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5408 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\ProgramData\QegYUEAc\iooIkMUQ.exe
PID 2292 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\ProgramData\QegYUEAc\iooIkMUQ.exe
PID 2292 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\ProgramData\QegYUEAc\iooIkMUQ.exe
PID 4224 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4224 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4224 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5408 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5408 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5408 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5408 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5408 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5408 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5408 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5408 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5408 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5408 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5408 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5408 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 5656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 4532 wrote to memory of 5656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 4532 wrote to memory of 5656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 4852 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4852 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4852 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5656 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5656 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5656 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5656 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5656 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5656 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5656 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5656 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5656 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5656 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"

C:\Users\Admin\RUUEsQEw\wAEgYMso.exe

"C:\Users\Admin\RUUEsQEw\wAEgYMso.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\RUUEsQEw\wAEgYMso.exe

C:\ProgramData\QegYUEAc\iooIkMUQ.exe

"C:\ProgramData\QegYUEAc\iooIkMUQ.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\QegYUEAc\iooIkMUQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMYUksIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Users\Admin\RUUEsQEw\wAEgYMso.exe

C:\Users\Admin\RUUEsQEw\wAEgYMso.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\ProgramData\QegYUEAc\iooIkMUQ.exe

C:\ProgramData\QegYUEAc\iooIkMUQ.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAMEocAc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyEoggck.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuQEQoYA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGAYcgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suwMAAwo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LioMEUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMkgYEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teoQsQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSkMUwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGsgIokg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYQYsgwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIcYIIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoAAUYws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEwAIQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKggEksg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOsQAMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAsgEoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwwgokAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oioUEEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wscwYkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIAQMUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgUcEwgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGEcIkIk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEosMMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkYkcUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWIMcUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYYQoQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMwsUscE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsMwskEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmMcUcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKoEsEwU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luMQQkEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAgMwEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQkUUswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUMMEsEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMAgIYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOcQkYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIMkQYoU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSkcocEc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAMUAYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWAEEEAs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAQwEEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQIgAgII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSIoMAYY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSYcUYso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcMkAMwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCAAAQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAMQEowk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyssgUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImMMsswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goYUskYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaMYYscw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XosQskkY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqgYkIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nykEYAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYAIUckw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\dukEgMAk\oQEwsUkw.exe

"C:\Users\Admin\dukEgMAk\oQEwsUkw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\dukEgMAk\oQEwsUkw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\scYsoIYk\WOMwMEMs.exe

"C:\ProgramData\scYsoIYk\WOMwMEMs.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\scYsoIYk\WOMwMEMs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2072 -ip 2072

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEQIAgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 228

C:\Users\Admin\dukEgMAk\oQEwsUkw.exe

C:\Users\Admin\dukEgMAk\oQEwsUkw.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1820 -ip 1820

C:\ProgramData\scYsoIYk\WOMwMEMs.exe

C:\ProgramData\scYsoIYk\WOMwMEMs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 188

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 188

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\begUYQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEQsEUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgQUQwgs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOIAgsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyIEMAck.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyUAwsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUgsYwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCAQwgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMgwMEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWUYAQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaoUcUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCsgccoc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieEIEgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiIwkIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkckkgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiMYsMss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOUQQEQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JswYMQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeoMgckU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYYIUIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QogMUgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQocMcks.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqwQkIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heUAEAok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vksgUMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIccIUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaAEwcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqwYMowA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwwkUMIs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmIooQYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiEEwwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQsIoUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwwgoYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEEsIIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESsAcIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omkcYoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAsUkMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKggcgsA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwAAQQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqMkYUQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PasQYEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaQAEYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skEoYoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYYUssAI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWkwgYwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOMYwQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQMgwEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOwQQUgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv /szVYOAS2kmI7EuMnjgOnA.0.2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naEMcYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGkwoEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYkwkUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mggMAwQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioQAkMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWIsQkcA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JocwkkAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAkkQoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUMwgMok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCQsIgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcUIQwYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeEAAswI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JewIEIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqwwscUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEIIYAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUwsAUQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUgwkIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQcgQMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgIscoEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqcAEgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
DE 142.250.185.174:80 google.com tcp
DE 142.250.185.174:80 google.com tcp
BO 200.87.164.69:9999 tcp
DE 142.250.185.174:80 google.com tcp
BO 200.87.164.69:9999 tcp
DE 142.250.185.174:80 google.com tcp
GB 95.101.143.183:443 www.bing.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.185.131:80 c.pki.goog tcp

Files

memory/5248-0-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/224-12-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\RUUEsQEw\wAEgYMso.exe

MD5 eab283db647bae2534f36239f10f3356
SHA1 fc610d10fb09a71b2502ea82a0a860347941c758
SHA256 f30e61f5e4d27137318fddd41eb7d7a7dcd2ae034a8ec50e853bdd54723f3d07
SHA512 af60e35796bb72ea83c8626f71a155801928556da20612dcd2c88b3ebbb4962864d1d314a1f3fd1de7becd6781c30b5e413fb117f6ce07744f0709e03ecef17e

C:\ProgramData\QegYUEAc\iooIkMUQ.exe

MD5 9ae902d81bac4980f44455c1963ea59e
SHA1 f82befbe9cf04203b7e1e2287abf3b59abdac73e
SHA256 966c28b7275a9480fca957419d82221a9b714e6ce58daad9135790d4787db35e
SHA512 2d8afe97bd028a8cc4879e1c5a1bbe039634e7140b4b2ef34080ffe79499086a60571d65fc27a3c32df0fd5f0780a58ac2037da0a24061f88981105a2473fc07

memory/2360-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5248-19-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5408-20-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5080-24-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

MD5 908fa2dfb385771ecf5f8b2b3e7bff16
SHA1 1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58
SHA256 60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d
SHA512 573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

C:\Users\Admin\AppData\Local\Temp\PMYUksIU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/4608-32-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5408-36-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\RUUEsQEw\wAEgYMso.inf

MD5 a221ed337a5f761276964893039b8a77
SHA1 f17d9d734cf4c377a703bf1f7c6506ee1771f8f5
SHA256 6cccab2d8d0343071dc2d346d6c2f03d3dcec03710fafc5ac70935ae9741d9dd
SHA512 5eba579ea2cb2b73b235dcf7ab119a4b0f9f66512ef8fb446b6c032696031b5fce0575d2e3d387cca97ec049d69a5a82b577e767665ef307cd56e5e95c8e44ac

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/5656-52-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/700-63-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\RUUEsQEw\wAEgYMso.inf

MD5 94d14b1b2c6ee0de22b25bde4da1dca8
SHA1 43f404b1f466cb40f2623b04f18f9980e895b54d
SHA256 f0866f0a8f68b753733dfd5b6720409dbf8b863324ebee97b36c07a11f81b80b
SHA512 29b205171590342b06ba4207669e8e4eed96e7597afa814aeec9b62247a49597c5e11f5fd04794f8a7db55d23d4930c01661be9a7ee57eae9c68a69e82edf33c

memory/3876-80-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2104-93-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4064-103-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1876-119-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1596-120-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\RUUEsQEw\wAEgYMso.inf

MD5 79cbf44645c5e29ba8868c4f958a27a1
SHA1 b89915bbd02d0887ba5f1a388d61ca5cdb883fa7
SHA256 f7b12fb25a15b426486de5a9c385fc2001a058ceeaefb8d9e0c1a772b461fd5c
SHA512 7b231fe3ac47086f21e71cc64c6bb8574fdc31bab489e4fcdf453d9b1e4802b65a4c58a69c6a37805f0fa31f69cf3aa4a1b1756d9cb458e8644ad1db267b07fa

memory/1596-133-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4876-146-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2220-147-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2220-162-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\RUUEsQEw\wAEgYMso.inf

MD5 b4703a27fdbdf0a961a7e652cdfdbfde
SHA1 999b6f7a94dcfa43b8edaa14db35e9cbe4c88dee
SHA256 d927647f34207ca961e4bffff1f4ffa47a4c6976640eb7f61074cd628d530027
SHA512 204d1013f6daa5854bfc4d354091ca06d80b19aa5985f617991c57ec9b2689e10846e54c60b149cf378788dda47cb72537b9ddda17439c21cdbefdca8bfcad24

memory/4408-175-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2472-188-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4500-199-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/404-215-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2584-221-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1200-225-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2584-233-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6044-243-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/588-251-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2472-261-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2484-266-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3836-270-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4328-275-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2484-279-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4328-289-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3260-298-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5896-307-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3052-315-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5984-325-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4604-334-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4896-343-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3776-351-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4236-359-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/912-370-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5644-379-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1128-387-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2848-397-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2220-406-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5404-415-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1396-416-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1396-424-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5260-434-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5596-435-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5596-445-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3840-454-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/404-453-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/404-462-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2896-472-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3864-481-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2184-490-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3644-491-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3644-501-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4756-510-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1492-511-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1492-520-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5460-528-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6044-529-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6044-539-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4060-549-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4572-557-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1392-558-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4524-563-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1392-569-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4524-578-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3716-587-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1708-595-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4084-596-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4084-606-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2072-610-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4940-611-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4276-612-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1820-613-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1392-614-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1044-615-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1820-622-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4940-623-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1392-627-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2680-637-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2772-645-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2220-655-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1324-664-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3048-665-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3048-673-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3236-682-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1960-681-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3236-692-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5864-701-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 fb5226b1b50f8c7f43f8bf86434b44a9
SHA1 ace7959bec28825fdbbb5cb4fb71c9ebb129816e
SHA256 8ad99615781fce7717bc6658adc33469b180f2c2c09e74cf7d419466b53b2ec7
SHA512 79f59f15b8733f2700c2ee6cf7a9c6ceafa1ca3c283ae3096cbada9a39757a3898ae78346db941220605101944b698269649e99d6d544c739bde99c883aca033

C:\Users\Admin\AppData\Local\Temp\GIwI.exe

MD5 b186ab9bcd1a98cc01b072f72d092acd
SHA1 ac851d8fce8862e19c60ceb82ba48385b4bf3d5e
SHA256 263517212b99b4b929bbd2e401c7957ba586f2089dea9544d0c334a58853c189
SHA512 3ca165f6e8933bafcf267ed9e789f1515c4f7b846f89da1cb6f4ce8850fea1e83122b9f66bf1c91bb4f99931d2bf7521d06c79062d8eb999c52101a4d1dc25d6

C:\Users\Admin\AppData\Local\Temp\UwsU.exe

MD5 46be1e23e8a47fd72ce16368aa90f663
SHA1 2338c0e502d2bfe8bc37ee423e0e25f1665a10b9
SHA256 dc6d38ed90ea623872b8ce9720c5acb67c680f4ed043a3e4cab0ecac70d5c951
SHA512 deae0e38527373d7f1698073353840034f5ffdd7209cdefe5cd886bebf29955ade673bf08b9acf3559bc221d6aaef8d833c0d9c44a71efed3a8ba7f4df5e7638

C:\Users\Admin\AppData\Local\Temp\YoUi.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\oQUi.exe

MD5 d1e34f515008a27b92c55b13b6403106
SHA1 13643b9a73000a586a4e9954fe58b754b13977df
SHA256 e1ef09277c1291f9ffd32b1ef5bdaa254134a79ad36ba208e3e6567989ee7f71
SHA512 c819e27d41f0fd8a8242bfbf53342349ae6c4c701965ba2fd78c882400a9f0760858ff8b327fbb5070a9887deb537c00ff34e36b769d1fd08292db0fd0f8dfd2

C:\Users\Admin\AppData\Local\Temp\akAU.exe

MD5 74be83e5b6d7e112a8e4dd43467a6861
SHA1 bdf82d6a7f19ff08f84493f7498e0f084f3c04c0
SHA256 3f08fdf05c54fec2fb65ff32795d746c33eb1cd6822db7aa942ec9544cd5220d
SHA512 b4f953bdeeb55ab1900a87cbc7062e04252af160c16186fb1cd39e27d5ced37f7e2ff20205713a4d9c2e322e0840b5cc45e25b17378c4f8ef309a40de43eb520

C:\Users\Admin\AppData\Local\Temp\EQsY.exe

MD5 624cbd0a71fcaa956d19ab7f3a899b42
SHA1 40364a8345dfceb97a078ce41a06398c9e3f2a2e
SHA256 a389fd029111c83a603afa5b0d0914c7c927c97d6917ebf04c46b2c7f14a5a25
SHA512 88d858013ced56e8a905dfebf0c372cb2d5612152615da7cd316cddbea7316979c35feb124dcbeddcdf6a734d0cf0ba23ffa38c680ebdd85ec53b288a60f7898

C:\Users\Admin\AppData\Local\Temp\AIwk.exe

MD5 39427cfe70914631cb7ce6f3786e8faa
SHA1 55fac835c98bd4efaf250d46c477c3f0877009b2
SHA256 016bbe4a3d6c236fd46077011cc4d5566c12827d51fa5c0fb2984dcb6e6dcd1b
SHA512 737c4dca9c349a2f3e4e50abd7029183f5dcee30c12615f201db71eb7e66aa9d2f97ce39e6516fbe24b91f432e49a2f16b6c15377fc08cc1fe83d159ad51ef46

C:\Users\Admin\AppData\Local\Temp\MgMu.exe

MD5 f75dfe26f5e7bf5714e48651e6b2447e
SHA1 2d277bcc1dd7e8699f0b19ce8b7105661b934629
SHA256 1480a32e9ce8547226ef636da7070b580b037c748de7962daf34e060330b31d6
SHA512 def725be88d70a958ad0d98d6f98d63dd2af11c874b1cc4db7cdef2439bb7524fd56933e92fc378909ec42d77267c445b49878028363e60cc5bd1d492631e29c

C:\Users\Admin\AppData\Local\Temp\sUEw.exe

MD5 d44cefc8433d1a85d90bd6a56975951b
SHA1 d0e1df40569963d5f79d9e15f2660d51c9814e09
SHA256 143cfba986f3257c0cc8d113c97827208193f97e4339b88034d079f4458ee60d
SHA512 dbd7856ba7c05952fe4ba565f2f6ee181c2c79005784a487f0b15a42b7869172777c6c5a40b05d41e24e5539878e032b45de2e19d87fb786f0d17cee5dbcb142

C:\Users\Admin\AppData\Local\Temp\iUUk.exe

MD5 7fce24a001c0cebd2767e123ce3e9a85
SHA1 dec9b73bd64f5ae9d0e4cfc94b4960c01abb5e54
SHA256 d034e23344ef45354c9b64fa79b8b9378c887ab6af163c78a46a235f37252390
SHA512 5fad692cf8aef7c95cb1031b75a3f6df0a3fb16cdfbc71215397935c990d82ef907b71f8967f4fda48511f858d229c41404ea45c40b4e987cc24995b22f1a26d

C:\Users\Admin\AppData\Local\Temp\sYsK.exe

MD5 9e5f1eba542742f951af35d392feec01
SHA1 bab3073ea16ba350c100818be58471914b2cd81d
SHA256 5e09b4eff3d24e033e3ed797cead8847119cffa34a5c19e66858041096d812d7
SHA512 fd393360efe3d582e6519f78d4222e13ad486eca338dfc3f3797ca9f3d6364753d444fcec3c6c09d5fbe31a2b6c9fa4d7052df21d0dba4fa5af8eb86d0b0b0ae

C:\Users\Admin\AppData\Local\Temp\qAsA.exe

MD5 79d52b9794617a4ea4efb358eeca94a8
SHA1 38ff3edebd9d273ef2e1a2b0392a03f94f7e029d
SHA256 5c673283babcf9c459c950957ad9442e845109955b21b0d3a7c45504de753d6a
SHA512 ae480e2a2e2cec500eaec9811cd20117de7e1519cdd30d2dd949f9244f6ec808b2d030527bcc60350a84ed61ff97f6e57fc451718f29cb4591c481ad34e57f23

C:\Users\Admin\AppData\Local\Temp\usIu.exe

MD5 e0e24404606eab37795d10d50a14d17a
SHA1 518d5353c5e5798cc28f1a797ff55b4d921203ec
SHA256 fa3f72c878055265c33951ef545f3648451de30638945195ee82009a9c1782f7
SHA512 12ccae0b0c03a05a7b318995184395786837fe2aa8aa00ddd8577d67a8b141669fd3a5af2e6abfaf995e9325ddcb4cc52cf18f71e7b7fefa5ce9f6faa7e0f395

C:\Users\Admin\AppData\Local\Temp\gUgA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\aEkM.exe

MD5 2a1dd2fcf0e05e18ecc330bb13b14f9a
SHA1 753e97ab98e5ac3726370148615287ccc7535aea
SHA256 bd3f83d61157b9813a11822db0b0223e1ce3381db8e05ecd5be0b9aaa7d6f42a
SHA512 8b3c515d7429d7b450028627bca6738a9f676c43f64ae272aa3c53841d69304fa5abd0b667a2ee651e0fd09ff8bc4160f9cbe89e43bc70e579733aef2ecca2f6

C:\Users\Admin\AppData\Local\Temp\eosG.exe

MD5 cf9ac7049ca8d219a570798e929db75d
SHA1 3a41f6916967940eb1c0728e912faf4de0392b1e
SHA256 f96f17d6d781475606acff6fa81fa92a1946ac3da3cc2578aadd2c068e90f0f4
SHA512 f0221d6452798eefc66f4253fc1c091ce72bda8c23961c72a4f21d41fc0f8732217f7043936d7cac8adc3d803e357ab4223daab4f9e20028b1c1619c4d010fd0

C:\Users\Admin\AppData\Local\Temp\OYQC.exe

MD5 aa1b1485f77c570afd397a5d02e1fb4e
SHA1 66589dccd9ffe08777632a90df098c5bd661eac3
SHA256 8bdb10a185f952019e29af5c24080c9a80ef808bf4dc0ff99e1b6f0468e3091e
SHA512 a4bbb26ab6fdcc3d7cd2e777ce782e57184333d8a6ba22e8a50e89d769f478d95ba13fbb45d900d2d44c66d2429ed0b5e1f491fbcc978e4d3e07a7635a575f02

C:\Users\Admin\AppData\Local\Temp\ooUu.exe

MD5 ba7dd001597c706ca64030158d8e7cd4
SHA1 0144c085c529f68d3df74f6cee50aabd4e3a9971
SHA256 e839439f8b344b77a4bae0d42e1da635c12e22e2750a8888cddc2462be34db82
SHA512 c7f4e643b89240e7eb999594808d22e0088c8991f8597ff00581007c0fb645bcc82246c2b9fb29656f0e337d60c88093b30a2a365b74bcc08474c56f479ee596

C:\Users\Admin\AppData\Local\Temp\sUsS.exe

MD5 109c852749996b877b77120160d9bf74
SHA1 9218d3cbaf7d136f193c60b85823609403c1566c
SHA256 e5f8f92696cece6dceebbe91949e43c2473147cd8e6b2134fff3803b15b372e2
SHA512 6b82748d0e28e6c6caa0c8fa6854b30d050072e7781c26dbfcf85dbb58be35f9577b19acb54617a8ce894131f4f5a79114c725c9ff4891d079a95f4596f4d2bb

C:\Users\Admin\AppData\Local\Temp\KcIG.exe

MD5 aef261aec95393617eada97e44b3ccee
SHA1 4a4f1854358012389d787553ac52a7e422d03103
SHA256 bb0076d4eafebff7f8139dcaffa8e0aaa11926f0d22f4587154ac301529c909e
SHA512 55120d02805499ae1eb6bd8239ce54777ac7c3ef8d11acd13eb32c7ac26879c670ffbea32710a02e3f041202677f3079374da713d5fb16e23779be78aebf030b

C:\Users\Admin\AppData\Local\Temp\oEki.exe

MD5 06db5cf7ab02feafce8765720585464d
SHA1 77eccf89d7392cb2696b2e9c50ace930a3f28a2c
SHA256 30ba9c6a622702b249942a5d0129df074d5e95a94db6ab5c1c68ab67f81d9de0
SHA512 3a0c60ea172f338b91b32ebb20a08b1b4efc6c472bbea520ae8b95cd0d7ba53c9905237dde5e5d672526d5c88fddb80dc543f0ce4218512577a2da0f6ef8e14e

C:\Users\Admin\AppData\Local\Temp\QooU.exe

MD5 c6ae86a818ea19eca8100ab428e47bf3
SHA1 209d5fb4ee6536c39b0454dd5d076403073e7d4f
SHA256 342fb520ada01ac0738d692da53cde65673a8084e0db619177cb76590bc09010
SHA512 735ed82bc6cad028e440042cd2d2984deadd0ffec3b8e910c2a727d811b4178b2e7419719472c14d94373a496e570ac53aa52042491fb3614948351fa9bccdcc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\128.png.exe

MD5 504b2fa2837697bb4964470436194c84
SHA1 c418d59296d714f6245efa4248c63ce09bba6c1a
SHA256 8ad078fd7c4089f728b05a6a6e7e85474440de8da75e205ef92b3fde812d74ea
SHA512 df22cbd2c31c9080c43ad4f9c66240742a15964d88d97b461dba4b2e08b6dbe14f27df1c1e2ecc3576f53af8bd06b9834b8198e14145b40cc5a9d9a77bcb5ccf

C:\Users\Admin\AppData\Local\Temp\eMcs.exe

MD5 cada99b2938682601e72a57971703c5b
SHA1 433d0041832515c6dc7f232957e63c80847a352c
SHA256 25b71c0f0b0bbad9c80d684f8a30d7752be1a98145f7300fa96aaa5be7713150
SHA512 e6711a677b83461b542fe28b3de326147f91f642a1944629139f9500ce38c3a8a5724b015c61d3f8df87ce3038e48fd17562216574ad7eb11857f3e6ba8ab29e

C:\Users\Admin\AppData\Local\Temp\SAoG.exe

MD5 33cec677966f6ac0024034d5d49f5914
SHA1 210a5fca1342f564d44a8fc1ab26b2d0cb77c75d
SHA256 2037d76aaab5088e8c07554479c4f57724f8333e3b153b7810edb56f3d0e79b7
SHA512 9b1ba4c6341336a7f424d0170319c0b6fecc59a8989fb20f9c0ae7e2b5e4c0e7c8e95c9a0ef3881402084fcdddc89d50ab714981b5cf25be0495eef8c7919db1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 88ac0fb407347b4765d9bc8c8de27323
SHA1 17f04b60c0fc8fb14be5117a4a5a0e7c38ac013b
SHA256 a89e76d48597948660156eaea7d96594f7e7181b0b0a7db280bbf1c824503430
SHA512 a9803e337cabaa408f578b229bc199e3909c73d1f69fb683342a817455a59598fe57067789e280ebf766874dd67eebdf5ebee1354dde97bc7c4e4c8bdcf7873e

C:\Users\Admin\AppData\Local\Temp\ocMy.exe

MD5 1051cb9da8b71a51536c27a90857723e
SHA1 d84c98c1d73072f296753826e6742c56287d2cb7
SHA256 c69fe4c64a7721cb4ccd997cbb4fff4998db34994e1bb113227392d577d2e3d5
SHA512 ef81bdeaa7419c1979ebcdcde7acd53d7e883a33af67828af390adafd61149c4eae620ec1cb2b6b8e6c3419cf1e4e8c185b68ba091521191a65b2b60657d3956

C:\Users\Admin\AppData\Local\Temp\sUQS.exe

MD5 b517ad9956e112b81aec8caff34a720f
SHA1 e4d2b915c3fb1cc78e7b9558b1f3a1c852c86b98
SHA256 0338d0049f8624e41b3816f6f4f47119eef07ed0052f2b598bd71c3ce5a7e955
SHA512 6430ec8614c0d10e76979edb661e79d52105c366e8d4dd42e357baf3026e7049b22b845c49ebcd46052020706acbff82fa6f1e5befc9a0fb466bfda3ec7d4025

C:\Users\Admin\AppData\Local\Temp\IgEM.exe

MD5 c62afb6db8a10a9fb2fbd6c003b19c2c
SHA1 8d6f5251a3561a7fcaae3fc19b3611b145d8b531
SHA256 65e54f3bd37ed997d3f199ad67a596a0368508cd6ecca57686063b41a3220061
SHA512 c02053152fc4fbd7367e148448c697de613821ec5be5ba9e6a8e97d964edc5126e06c116b9b33d47475e10edfab6ced130a089af7555a4c822992ce4a2f496e0

C:\Users\Admin\AppData\Local\Temp\Okgi.exe

MD5 ae4a934b0b314fc940b45bd9f13a3cbf
SHA1 db2a5ae5545243d5632654830cdde05535050347
SHA256 426e02772bf513b1d75b09edc75f24ecc881d3792772bcbdc34b7985d3a88b86
SHA512 3d52ec85e8a9c0a2dd951e0596eb2ceab6ebc08aa301d95417175b883bc77c5440a3530b207cdf63b9fff0948ea3c15d371a28d53cdd43e57b417476a13741cd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

MD5 dbe78234787c59efdfc9e40e55a37c22
SHA1 a40ba4c2f0015d6902be939f54f4fc80f95f398e
SHA256 45e166b00adaf2bca16f0873226156fe00979df106de3f4b748bc8607e9603b1
SHA512 070afe7d842f3223b39bc710ddd8d5b2314337630ac7bdc85131c4e25b0ab843f6889283ff6026108f2ef0934f26a662b8704dc37f36eb51d7f2e6dbf0f64f59

C:\Users\Admin\AppData\Local\Temp\Kcwk.exe

MD5 7bb010a8992b7580296648b92ba6a07d
SHA1 7f9c444f7882d4d15003c49a6fb194c48fb8eaa4
SHA256 af9b50e4f7daac7a63b95f923819af49751c76b9cbe329261b1e5fe7e4b020f7
SHA512 a57213b1eb13432d3979e0f63f6512bcb23c6c06668ff8e840e6492c9b4374160dc44ee3a3694b78bfc809a1799972cc2c14007bdc631184b3a49d8d07a59e93

C:\Users\Admin\AppData\Local\Temp\kYkU.exe

MD5 dccb8bf8de0e27e977321dd23c4cd063
SHA1 5e06c6dd389b6b2412c22ee573419e1cce61a465
SHA256 4d11e0dd5ca347bde14d2b98311105f007907472bed52f075ea930ef43fa40f9
SHA512 99694835d9c44a84c34d9608b5d1ac8ad9fca0392d7918e45fdb72e14eea6ef6dbbc6698b21af59385b12f494481d4852467018d2550840bad0a661f846716a6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 2006fb206221d826b4886a1a77592f74
SHA1 04adfe41cc3cbe1656020f92ec9e268f4462f159
SHA256 57475093784b2076fc3fa9b57f7308bbad8ade1aee5069baf5b0bb5eeb484a9d
SHA512 1d6b293a3cc7ef95e5f72215e84d829bc139c111099d310cc55e66a81f5967e5b7016a8b57a9af3a20618718a829c12046a04b4d2318ff9bee5defa44f1ce6d5

C:\Users\Admin\AppData\Local\Temp\oEQA.exe

MD5 91cd210d1d25fdf6e8de2d0f9d8fb72b
SHA1 c96bb0186101d844e54cc1553b9335a06c08449d
SHA256 cb9d94b7688ea09aa0f7b6df17f38538e8d18c0eb6d7822ced80f1f3a13e42c0
SHA512 0ed23c1bfe508f2f27f1ab8ff94219add9547fea0b0c9e1ac584a4629e1f808b4336e53af91238c19ed7703432dd8074bd70ede20ac7dd65c71b4d325b83989d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 8c5c6d48450fbc0622324621dd3097ed
SHA1 d89beaf03d6583998a34ea782ae648fa6170d9b7
SHA256 e97e8357fb1916bba22ecd06e45aa51e2735b3ae9fa7bd5cc37bbd736ea2c80f
SHA512 821a5afefd1568cc1a4bd3cb3f4d7bf0d4e6621850e87b872e5ec4df05b395ad636eac38c2db01b2d8d15d4af45bac09f3a66d36994e2c5189dd30e47a40f4ff

C:\Users\Admin\AppData\Local\Temp\eUQg.exe

MD5 24dedec1744198bf1cf3a9fd66ad4c13
SHA1 f672a89bf3599321f2b59d5cdd3fb852701a001d
SHA256 3066f128695be1d1fc09efb3a4475fea70027f9ae25c418bd46f5ea56f6f1f80
SHA512 5a5f6473569d4eb8b47a016e7739d7b91f4b36fe1e79056277231e7ce21dba2dd1b63c2d38026a49967da35d1333ccac22dec1bf8c0cd1850d0a48852d9b3f15

C:\Users\Admin\AppData\Local\Temp\sAow.exe

MD5 af9cc67557ac70be17d6bf7cd7596b66
SHA1 0f596ff0ce59914f9ca1b2ef8e8e7e1734292c31
SHA256 a098c38daf3f616e2187502e67954e3cbac0724c9ffdb525ac9e32b317151817
SHA512 46e884efc9b6b57120a4e02466d3fd959cfd52b0c0f1c0d0c7e16dc1dcde23a327fa52ba65c46a887bbc7cb99e8a18e6fc6b10c079d3dd0b2c3ad4c1e86e97d7

C:\Users\Admin\AppData\Local\Temp\yIwC.exe

MD5 702769776f85af771a0e93dad7ac6e94
SHA1 b838052812ba420ade13f1c7fa8ddc69f2c31cfb
SHA256 96b6131e6434f9ba3dae3e02ddedbb06bf8804a2e1f7e60d5b2248c512fdea58
SHA512 3c7199e3a4a221b306ff72579f92cdf8f8089293fd1437665081fe44ba5d70c0308c017951d8afc33b898f1316a769657c1591405bb90a1e8b313d40ce41bfce

C:\Users\Admin\AppData\Local\Temp\oEok.exe

MD5 f2a00bf4242c5834fc539fa7dfbc79e7
SHA1 9e9c7ef328bb1dd2005b47055e0d19ee87ba0241
SHA256 a60d176b7a858d9def28f03c72657105257a0a695c99522782013cb880f7c99f
SHA512 84dc771f3141c88e092dfc024d545924071b649dfdd45e3b2fda564da68f48ad50aaecc46836f91c1637bd5058072bb71d9378afa63db76709668cf350e3df19

C:\Users\Admin\AppData\Local\Temp\qgEG.exe

MD5 7b92c26e8cf1fc0ba79fd3445c15ba64
SHA1 0ab8d31d5cf23e2d66a59cf88f66f09c10923b67
SHA256 859f24d9a3fc865914afd5e0cbb77cecbf09411f1c361a2d80d96d1ced387705
SHA512 58dc51b0fda755512e3c5b2f242828a6a2b278d9ea397b98ad2242f7d5eea9997babd1fc503bbcb04a48af49ef4f5c6b0bd78e14c994d6b350723dcc0e121941

C:\Users\Admin\AppData\Local\Temp\EAYQ.exe

MD5 85fc68687a4eae999583c8661608e32c
SHA1 13d6ef7a461cf81d439acab32cd51e70ea3d503a
SHA256 933c4ca84ff524cc781c82d99676f1cbd31bd236d31a0abb79ccd7b4e2769b9b
SHA512 33946ee7df0aeb1e458e32edeefea9c8abb6702459ce71ca476d457dab8ea13d2a3a03cf2bfc116367e6f19f472600bdd230c636b904f8b1e2c9ea6beb3a0241

C:\Users\Admin\AppData\Local\Temp\aYAM.exe

MD5 17b9be3d32d02d282b2e5eedbc9f7768
SHA1 a462ec8be3b3b226675ba929f92a8cde84f41f9c
SHA256 17c357db6c00da430abfef61e037bf111181e21946da47e387ba695232b9dd04
SHA512 143b663b4769588924f639570af3228b46c8b4dfdbebf926a4513aae09fd4f13c378e502a78e2a716b25411b8c70605799d54583ba58700ee066d6fa4b0359f2

C:\Users\Admin\AppData\Local\Temp\CwQC.exe

MD5 3f41773f4af5d7724046ed49122d4a07
SHA1 7ca93091c435d67bbad8476177346db05ac97d25
SHA256 34cd7e359889917180b44c40f07de0378df6d9110e768608180871db94d401cb
SHA512 e1fba84a7801188e81389922551dda57d39d38e55af94b49644e646f8c93c07c1fe63815268ef46403d72c89f7a224222725082bbe45f51ab0d7fa9cad9c8a9e

C:\Users\Admin\AppData\Local\Temp\CUUy.exe

MD5 fb713500fd838669f793d1c4c52a3f23
SHA1 b6677d684d4aaab6b3de9454523c3bfef506fddd
SHA256 8239430ba5cd2255138b81229ec8a78724f8234b3bbd79780abf7947af1b46b4
SHA512 690f9958448ee859b7f8ee7b29dbea26b9f0e4f943b367250c87227557bd99bdc47104ca6a9a01e94f58c71cf9a8e702edbd074d51bd1600284cf7bfb5f38eba

C:\Users\Admin\AppData\Local\Temp\gckE.exe

MD5 cf6675257d57cd3db4567988ad3211e9
SHA1 5d1e6ee05e659d0560436f5644c8e0cb6241661a
SHA256 37719854c81a81dddde269cb660b85fee3803b336c8717a1507d83d69b87d354
SHA512 89a3f87f0db938cf8a2b0e547e108d710aa1d0205a3a671f8c90fb75b5efb0cbabfb9903f22502902b303aeec0888b84c66255ea453ae25ecf86e712677c2d09

C:\Users\Admin\AppData\Local\Temp\wAAK.exe

MD5 8e61e534fa731ffdbc8a7f02cde01c87
SHA1 99e687b33d8c8dc1e9b171a9b004f2ef4ad12af6
SHA256 a56b8b3d696a425ca7a8e00fd9f8f483949f5d6988f288d79d2d0954643a41d6
SHA512 eed9af378cc34796a9a8f2cdda89ae1ce4031e42bb5f1fcbbba10fcca13f703233315aedd9bd172045e16c1e2893d97128b0943abcfb1ee4d3c8c5ced392f0b9

C:\Users\Admin\AppData\Local\Temp\eMMG.exe

MD5 aa0727a3ceb7ee49d693ec3ddd4e24bf
SHA1 9499abe0c6cb0b6589c8d94cb24260238cba1fba
SHA256 615e070e5069097380926dd279a63c8908bf1b49ce5c5a549ba7690a5f7737bd
SHA512 a07d5c344ea182911ab56f19b73e5ee616c5fd1c9f6f26d46a3307432ac82339fa90e1b6e9567342af4ba5dc809549df79d3846e4cd80e3df4ff8018d33a7144

C:\Users\Admin\AppData\Local\Temp\IwYU.exe

MD5 b08b446142de32ad9d0bf5bc59476299
SHA1 c584a4347e21a7b166769c227591606e5a7da563
SHA256 c8ebccdc959d6fbcbf80dfde0ccb14f7d48b1a1c9c1a9ccfbb67adb01b0fdd65
SHA512 5dadb2f9a5020158e70b9854e0044f0676782eaff6b42d1e23d9d055914163f2d9e299d4a399a51bd48f8f29d67408762b994de7d782a27f4d813900334173d0

C:\Users\Admin\AppData\Local\Temp\WAsS.exe

MD5 8bff98cbd108782a6e727fbe98003ce3
SHA1 78d0c1a7d5b197b75c96adbcd1ab5dafc455a148
SHA256 1f54d22e1da158460e7ff766907975c683720457d33271d2d5fc26cc215beb11
SHA512 e48b9ed0af2b2df18f42c0568b3cd1f9eb8472b0589ff5d459204894d2afc65fdd9e6485f163885d2ab571fb5c74c70a0e12443415ee645913a1060f5ebb2f57

C:\Users\Admin\AppData\Local\Temp\KAoS.exe

MD5 b050f38329df23270f61860937c751c7
SHA1 e26466c1cba770e8e5e9e6b79e9fd8108129ce5c
SHA256 67b7bfc10c71200be995170461d1ef317173c2460470246f93fb7c52433ddf1c
SHA512 e43173cc2bf17623c741c3e36feb31d07b7f8caffdfb9507cfd70f497559ff7dc37223d5bfbb7a74e9a5b27f2fd0e4b54e8c6bf6e68b551c8193b4b5d64710c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\192.png.exe

MD5 e3e7472d5372d0f90272ff8a018fba98
SHA1 a4cc74d502a0c5534cbac6e90d4c2e32f61f2e30
SHA256 b06714a49a42890f8613ec2b5943dff90f07f2fe7fa353e31b8c0b1df7f04803
SHA512 681b991da43c8cf4dcd8cc9478d0921b7b0ab2c317b8b95507c47c2d7c1bbc109af82abe7d6b491cbba7c6f8e9d0bde45ef675b28acc6448f0d36ed38f730fe1

C:\Users\Admin\AppData\Local\Temp\IsUG.exe

MD5 998af818a3d0e93ff22b15ece27fb471
SHA1 8bdeab0a403950e7cebe23e8863bf86a8b8fc559
SHA256 6229cf5ccb5012b9f6a46b6390e92e85ce19a99c332650611d77e75ee60dfd3e
SHA512 fdb2d16a060e4e0a2c6937c8c64743d952184f2cf8eaa7605c6cf77caeb7cfef3403c64ef50d8e9546f5c1b67ac18a9a06eaf91e85320968522b0e9dbbfb9703

C:\Users\Admin\AppData\Local\Temp\ocEu.exe

MD5 1494b982f7a690de0850055e6bf5f08f
SHA1 b666379fb28243a90ecbea1a40ea72647f31b985
SHA256 2097cdffec47e6204fbab4920528b57acc7fcdd6d7b2d236741f475b995b3be3
SHA512 7b6dd70ecd52d7f76f74e2a1aadb449a44375448b11e4693e776f864a5f3a52fb376fb8229352660c47efc2fdba1f29ec5b6dab4963960697a5117b8a0fe1ca7

C:\Users\Admin\AppData\Local\Temp\QYQS.exe

MD5 d5b74d9aa3966ff3df6c4f940700d6cf
SHA1 75c9a404252f4341bb5c4286ee5138bba5edd050
SHA256 c0442ad16b8d5f6783332b6f5560fedd00cce8e4dc8a2c40b9d6b1bdab4a8437
SHA512 dd416b1428e65770f46c0be1f6329639b7fcff92b76ea7fbeadad9a7c27cadfd78b537c63c63dc329895b72bb97d4da4bbee6d5a4109b4a7b1bd66374fb8430d

C:\Users\Admin\AppData\Local\Temp\OQIm.exe

MD5 eb66723ca930dcd2d3bb9e84ab570c47
SHA1 bbcb51ea3f7d4fb96b9d7d81007bb8596ed1fa85
SHA256 775c77b4778378da6bb77f3a42434019cf3f01e756ff739964d9944db8e72eaa
SHA512 5d29253649c88961857394f05944f8bfd8064e45eff0b29d233f95b126034481cde9b4b2596fe40caad7a6ca71552e04800f7935a8a768f0a13afdbeafc5ea8d

C:\Users\Admin\AppData\Local\Temp\OgwI.exe

MD5 977bb24908df4185e3ab4a20420012c4
SHA1 28f14b963649547f649da28d355d162ca111e551
SHA256 2e09cfa042eaf57763e4d1ac9917edec2c995ac47dfb47a3ec4b82e4fbca1302
SHA512 d2accec9cf22d1b72f9f97d970f4385587998e9997125dfa88202980e2a1965d38e1eb50a9f2d0f5f98bf6ca5fcdd2ebefdbdc810ee84f44ab0bfdc36c2f27f5

C:\Users\Admin\AppData\Local\Temp\agcg.exe

MD5 8a040fc94b0180396f9c612900c6555f
SHA1 2351446e28d6eb27987be3e5f2b7505b909d71b8
SHA256 15e494e88153b6f2f238ae48f25ff478c59a6fbde844912c0177b2a0e3188355
SHA512 ba80f6da4b2eab3ded17d2e17801629fbdc6597348fe26c99eebeb83e8caa43020aada26fed95ff0e29b50367cb212915d486d1c1347808326772ddc2a2deecc

C:\Users\Admin\AppData\Local\Temp\mMYc.exe

MD5 f9d80a8c52a95d77dec27f995d19940b
SHA1 d38d4856b206f7ac29d0e78ed73eb66f876593de
SHA256 a43b6e8540725ddded4c7c6a8caaad95bc3ce5eee619f05209da0dd662a2ef7d
SHA512 bc0a9a79eb256e1f3aa06a42fa8efa0a79ed550143c8ab2b72134b14658f263d06aa2496e5efd4d96c66527d9e761f8e1e96a0504fc75f8ec8039cfd1e9d03da

C:\Users\Admin\AppData\Local\Temp\wsIm.exe

MD5 43b5266ccf49d093e4ca0b3d74002956
SHA1 43520598d42be78067c7bf495f044172933ae04b
SHA256 e2f69758f3c526386b7f7526a3b5b1a6b9ac100a15d41c06669af1e07711c07a
SHA512 fc15c3fcc6418c60ede299bcf2284d93c77dbc22be6c41aca780ad4e3ce50e0c8bb7228e0dcab11ca359547274564428a6282de8e87ec136fb3e94bbaa3b777d

C:\Users\Admin\AppData\Local\Temp\oIsY.exe

MD5 71114618ea215e195449b77ac462f80e
SHA1 133f3e1db74b55225efcbfc023967422d34eb68e
SHA256 b74afe68f2796be36cf1046a9466bead4631fbcb78509a719cb9a07039688a04
SHA512 0e0bafc82f35e1434ebcea8669b68aa41045404551b2531301023f39eef29fbd3d91e7a8e0e8ede3810153d7b7e5bf97524a7615c681aa2f7fc6b34bacd80161

C:\Users\Admin\AppData\Local\Temp\awQs.exe

MD5 61f8f06c0b3a113b4e06cd18939faaa5
SHA1 d894a6d9638d2307d3d4e0e5f0759120f3b1d4cc
SHA256 de30929b1c1572c3c5436f3f7d5233eec89c39bbf3a054896afa8b4a548e669d
SHA512 b7ca72c57b6bcbedcd37a36d8d82c0810f7824c64b2a18a6ff412cb01cd9f6a5f41c37f53e371bfc73bd8c52c47306107e805f52ae21848f23524e29b478475a

C:\Users\Admin\AppData\Local\Temp\cYok.exe

MD5 1a7467e1c0150cdcf2384380a519e366
SHA1 c29bda05087a74f74a25f500bd1de76388146430
SHA256 19eea81598c2289192f8a25b3b950a771bcb102ca87dee27af62cfacaa1c3722
SHA512 36d1362f28505cc13baa09c2a55e399b2b1fac1471d2f8b092e20ca5bd6bca44d921bc5b0801d7d63dd9a362e516ffee4ffcfc2462729fd2eb1936e5ca1f68c1

C:\Users\Admin\AppData\Local\Temp\QQQY.exe

MD5 47b783b622413639d12143e5bd2d98a4
SHA1 56837d9b96a3be65615125c50f97938e0d01852c
SHA256 f8f870329c26652c4917d0d58f5e030f2aa951223af4cab6b88ec511be37a01d
SHA512 879ac5370dd3385b4a53977337ff0040586167c628e6b937a384740f11bdabcab1ea0295fa46b82e25a906d17d69c6b9fcc791a564806027b2a47bf8d454d4bd

C:\Users\Admin\AppData\Local\Temp\uYUw.exe

MD5 dc60a2e6184c21198dc457e8905f57b1
SHA1 fff8caaabcbb6f8b1af8784b908dfe87c94d253f
SHA256 1b9f1918d31a78bc48cd61b9eb18b06380fb59896f4d90b0f374e8c65b3fd208
SHA512 93a4fdbc03fd435b5129802a6575a172c75ebd87af7a7311899b0d2c244d8c65fb76fe2e16e6473f2c7e56b225b0b8a8952d1c52afe88aec7f24c3567b1c606c

C:\Users\Admin\AppData\Local\Temp\Qsku.exe

MD5 f885ebe72ab74bf7c94c376302a402da
SHA1 11739972248b219a89a07cf89e206508871df7f0
SHA256 3044029152d83917c7fe062030b608e8c4d64e68dfdf2bd469e24f20ed7b428d
SHA512 8c0f010f344dbc7a4d98bd2e66aba6b5dc239ec60cef555a8bf22bb3fdfe6eb42f8efcb44fe034e3b9d3fb2bdded798634ea85bb2b0e4ccff578294dbeb8c6e2

C:\Users\Admin\AppData\Local\Temp\owUG.exe

MD5 a58bbdea47bf17f0522a149cd04d6213
SHA1 f3e70e94fdc63af0afb4a90a76f552671a475061
SHA256 2f59540f4af72f938f415f7525713b055a361fe6d0e2d8e30979132503483c06
SHA512 4d4d8473c0650abd00dc96643d28fd0ae1c596c21d47ac1163e9ca6e96d716b38918b4982eb88dd0b41f44c1bff63d93c26f29676875733bdcfa2696aeea7547

C:\Users\Admin\AppData\Local\Temp\ekkU.exe

MD5 4eff2c4515495a0a80b951a533d41b0e
SHA1 942f5cca9bb9a59f63bbd56f5b3722a1dd214fe5
SHA256 4b70576cf0242a767a540593c622f4d0bac3a7d24dd0e1d098a9fd93f0005dbc
SHA512 797e41d4a9ddf5dcae5b156b07d1b761628c9ccb2900043c89cdc1337faf4acd3bd703b42e30f2e8f92cff7db3d061f59813f00d021ff25760071b2a452b5238

C:\Users\Admin\AppData\Local\Temp\awwI.exe

MD5 286df3f22692b441dd31c62664c02ecd
SHA1 687c8dde37c31f8f062e9ccf4a471257c3ae9a06
SHA256 5a93fdf9ad1c393575703ab42d14d511d8142c6213a8c2b60b5aa3ee47627e93
SHA512 8ad6e4bde4789373a1b2451db170c83610eda7b9e9de09d8edec2a1f66aa098e07784d104c2d533630bf19f1c43037898aa53433baecdc63c950adde7fa1587b

C:\Users\Admin\AppData\Local\Temp\yAEO.exe

MD5 72995798d5448bba4def9b1b61e0bc5b
SHA1 e4c00ce3513d4df25ad66502ac885b94c203b56f
SHA256 07886adb155c75d9e5231d2b60961676d9e1b579f02e21b053e963e6525f9298
SHA512 b7f0d877f28e4d1fc3ec6557b9d0ef18ab1565858d72d011804ad66e90398e016ff0a2e361cad86df309a3ea96aed4ab0433c450ad62e48a415208a7f2dc101d

C:\Users\Admin\AppData\Local\Temp\YIMI.exe

MD5 b395c9cdf8c7ba562dd403f48ecc9e3e
SHA1 1113405eb2476b0bc2ad9126f48d53b8a91c723a
SHA256 6ae685a6f49347af043035473af33c1dce562a63d3cef84d5a37142441e83002
SHA512 3c72ba99f73434eea2c650efd1d4b14c2f233fd4f47ec23a4dddb937809e3b4c1caceb9ccdb578667310de35595e94df2b1e8a8be57ae1043c2edf521800e626

C:\Users\Admin\AppData\Local\Temp\cMwC.exe

MD5 01d19bb25cef49302902d2cf09f7c5ce
SHA1 71e1d2457abc086984d06d922cac1319e24a5670
SHA256 543470f0d301a2cf6189d28a53f56be8bc746e71129cf1e8a78f23922951d415
SHA512 8491fe7984e2f31013ef3a0946b58921b3f8dd3035e28e56dd4847b6dd7c50a92ea7b3ca45eec425a43bbfbd4bb65c72e9ba2275564d8b7863b3f71103555014

C:\Users\Admin\AppData\Local\Temp\uwgO.exe

MD5 4def7c2bea5f08094b37b214cadffa74
SHA1 1f9f9156a4bf628dc9a665e80077f5919437046d
SHA256 c8fb4f248df7ade948053a4450513eb2c6ef2be9d8a32bf369729bd022d0bd89
SHA512 fd501b7bf79e5666142702b7972a1763624eb828e77c6719cb9c14e6dfb5509a8781c07e8db1a15a663f32472d484c9f3a9585b8fd5d71bf2293c16f6a2d8793

C:\Users\Admin\AppData\Local\Temp\YsEa.exe

MD5 786316313c8ec18653c0d5d0a21f8d31
SHA1 142860e52ec5ac5fd13bb9212329c22d58766298
SHA256 7b07f0dca21917b2d668b902ef0e84b86b4fbda969c4bc1c46b4c2bd8072d253
SHA512 bf719351b0b129db8f6a9319456bf544803fafef6d0bdb94da99b3a92eff4b7e7ffaedd0acc2b57c350a4790149976ba5dd961a05133090ed3e1e2dcf8c7e2dd

C:\Users\Admin\AppData\Local\Temp\ckEM.exe

MD5 f10f3a5653febced69012bb80c0d1907
SHA1 513c97454f66b0b4e7931cc6f338ba9bb847169c
SHA256 3791eaeea175d0b93455fede54ef62d005c97015fc29a37d7f4a92840e7b917a
SHA512 beb0ef20019238a9af09e743e21910f4f5ea54f7f08c9ba2c16a58304ff528951ff852241c05ede2cc82e989c12cd84b2b98da82ebf545fdba833f89d2f779f8

C:\Users\Admin\AppData\Local\Temp\KEgS.exe

MD5 de35a04104fa5a3bf4ba89f3fc3c7ef4
SHA1 7c14422cba7a28ca1919ec7ae138600fa679f3e3
SHA256 205ec3d8080a630c59d0b968469720c945b7f17be22bd94b59dbee914fd0ce11
SHA512 210c08c5c93ff932309b1cc9204e09ad245b42339400f623dedecbd2754a25fb6c9b487c93a7007a53df5766c35855d51f89f3900a048c67ab9e5bb082cdd7f8

C:\Users\Admin\AppData\Local\Temp\yAIa.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\OMIA.exe

MD5 2ec803f5336b579e11f6667635ce64f0
SHA1 29bee0a96b061e80efcd77117b5ba368afb033bc
SHA256 02c06174b945e2a6bafc49880f677a9c829f6e7d0659f59767f2896b614103a5
SHA512 cd2b88a6937530141d3949f8172bfd4bf717071fb0fea4e5e85cfe2fb9fa20fa104855f20ed86b6fb32f170bd35cc539624b90e924b5f95d3ac459331f85ae0b

C:\Users\Admin\AppData\Local\Temp\ScUC.exe

MD5 f48a20fc15c27faea1227981305df2ec
SHA1 713c91e52f656b284a0685bda15e37d9ce4da8b3
SHA256 2492032579cd597115e6e992fbae72c59feee6ccb5f625559ed623f54d4e2093
SHA512 d73878520ca8cbe13811e65d8faa8ca1da846645069e0ab6ad8c6229b597b1ffb59724423df67f58d831323e8b33d4573dcb8009c0587b881d4cf8455f245a2f

C:\Users\Admin\AppData\Local\Temp\WcUa.exe

MD5 3ce705c3330181125d5a9693001e5eee
SHA1 e9f9731605a31c321401a143f2bd8dacbb31b55d
SHA256 9e61518c78d87ba693a8fb3439b2652a5aba6c6ec74908c9b32ff4e7f7a79183
SHA512 0d2ecddfad5b11619812b7b5163097603cba041487595fae8a76d4402846ba70dac39fd75beb522cf9ebe91204a903aefddd6680405d59dac31a5ff1cecdef41

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 a5b9a94a5028184d4bf69e3dce343dc0
SHA1 860d23bf17f68a3d1368783c18abfe1ec86a64a4
SHA256 fd442a6f945e399e1130e763c5e62f7205a4cfd07f95cc6f1048378e96875d9f
SHA512 a7561bfda4afbe05de91de2156885755dcacede672d27ee3bc3dee5c95c993c257fc3bef1b845603a522d1c7bed456fbc0f349288236d48896f4a6386d87570d

C:\Users\Admin\AppData\Local\Temp\wYoC.exe

MD5 8d698e9b8861beb46be6e76aecdfd97a
SHA1 b1bd9e4edd4e77d91bab27f3bc1e45421360dade
SHA256 0db44d31c895ece4c786d5d42c3e9a04645000bc5af0037f1efe2bb8e21e3a59
SHA512 de9d4a3f613b32c8435c085bbd6ec51a5d5db8a8aaf0c10c50aee6a3b752e1a1913657795cecd1ab41e1899599eaf05d9397e7da0f8796ac1e7851ded015b4b8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 e957abc88592115994ca4bb8826fcdaa
SHA1 baf8f54bf1c7e6ff75d6340714cbf21cd1b3df7d
SHA256 c2482b24b54bfd17d0a53374a0f84649948a4bac014bc436c0e0e3e7fc935118
SHA512 c57ffc7bd5bfc4345e3e5119759ba75adad8286a5389873aaaec402fa953e892f98cf6d9844115d8d3d3ed080dc8fabce8c865796091417963c96fdea62cbac2

C:\Users\Admin\AppData\Local\Temp\MMwO.exe

MD5 01d68bdac014655ef6786ce7db94afe4
SHA1 bf3ca3e60a5556b158148e6dd36a5e23e390b1ba
SHA256 7cc4422a029ef59029fbb7ed7b06db0d721ebaf4d07ce50919a9f4871a262fc9
SHA512 de12e863abfdfce234f3478693dbf1f57cc98fe4ed885622df83b10a2dbe5acecca247c4abf5a264eceddc5a95fd2511815f02eafacc5ff3768acef0ba1bdfde

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 0aa2e7fbcfcd933ba6b7d8ef6238c11e
SHA1 e8ede97147022858850c52e1bedc60973035928c
SHA256 2b193e263efbe2418eecd39d5ff8800caf680ebdd6ac062e392dc2079835d4e9
SHA512 727b8966f8711d24beb797949ae3a463e2ceb253d21c5a8645f1f4b2effb0d97afa189c190120b033734e42c51af60d6f4e80f9a3079d5730c6a4ce000385d68

C:\Users\Admin\AppData\Local\Temp\OUkE.exe

MD5 4af7d0704a9415ddcb36461bd2928605
SHA1 2a0190b60042128a9e055ed8dcec9c4d126853d2
SHA256 eb7da1a498e59ad95625b2efda46d88866da1edd6b58c635d1e8b4efb54d5c98
SHA512 765576bee4ad1386e4d4914f896179520be0b634df7e5307d31f80560cc372d9a33da913eac278e385a79e514205e174526008b1d43e1b5c85fda8b6fcb8c431

C:\Users\Admin\AppData\Local\Temp\CoQw.exe

MD5 98fa08cf4bd225ce8abf36c18b394307
SHA1 9be27a9e2da210b948258375f66da8b96630961c
SHA256 0367b324fede6c5756003ae0039abb05a607cf23dd7dea6af043841358dce93f
SHA512 c0e77a65fba79c2dabad9310e30ce55db7775e75b852e2c52a97bd76b1953c65a998757a6cd0a3493dfc9dcce0b240f2bff0ca1c8bdcfa431f1d56c181a090a1

C:\Users\Admin\AppData\Local\Temp\IUYo.exe

MD5 0f0a9c2ba75fc83559bf46a0a5238dd5
SHA1 0e3c3e1169e0d309a08ee0a1f6776dbfa5ebda31
SHA256 f6df1816a4132475ec7f58f084ff127a53a7f9c3a0cceb4f0311035fb0e72b9d
SHA512 6681b08a23e5765b0add3b2050424cc3ad8d6c97ba9c69cc6727aa63978ab7892ea7f8da8e06916a0134b353595f47c4ee9116857fec5007dda9b69ecf93adcd

C:\Users\Admin\AppData\Local\Temp\mgUO.exe

MD5 675e0e289c575b2445837789ebbdcb9d
SHA1 aa91e2d11da5c11fd6dab777e74f197a9656e724
SHA256 24735604f3c0bc88c2afbeab93b93aedbddefc0f7c065bf12726dd0d58c624d8
SHA512 1424546312fd31f2288c62b632809beccba0d2aaf66e867704d9b82337a4a6fed2c9d9ea0190d512bf5071c668d61526ca3d5e17a791fc08f5d0266219bc7a22

C:\Users\Admin\AppData\Local\Temp\AEwo.exe

MD5 063ea60fe2bf88fff2e0170dd8add039
SHA1 c6ceb63f27f78a8205c4734699877bfb4a33bae5
SHA256 927162106ca7437430a9cb037d54c0d98a7651eca2b22ed6a72e49f270f97af6
SHA512 f31aa9f071be3a44c80e2c3a2c975273dce1736b304984e176bdcff1be297944899cb38e1f954bb1f666758ccd54b29755e205786623103d0e87a199207c8145

C:\Users\Admin\AppData\Local\Temp\EEEu.exe

MD5 9329340186e0a81b03e4948ffe58defe
SHA1 a4e98e5feaf99b9f6d7ce682b3ce229c993f5140
SHA256 4a30706c6aa08bb5a283bffe39839ed42d296111c844003c7addc5d230c0cff2
SHA512 cd089333ba74f4a7ea0b90f790216a3701f3f661226ff1f465c2113a0c69ed770d5816a12687a21c0f9118e4365cfbe67394f1e47127f8cab39114bb17d1726f

C:\Users\Admin\AppData\Local\Temp\SsQo.exe

MD5 5ba8acf1ec19dad650865bdd5ebb9dcf
SHA1 c2a143a09a673825754738a35357fa8367a1640b
SHA256 3f8e530823d69d97b7160afcf8f0bdb7525fa6a57f38011cf7687cf4fc01dd61
SHA512 4b103639c40dca98eed6c10b143e32dcd18ea0a4d300c713ea7cf0c8150d14ed9f4b9242782b55d67516b8f63afb0c871688bafe45112f59d9032ec4434e173f

C:\Users\Admin\AppData\Local\Temp\iYYE.exe

MD5 94f0f1fccd8833bca9179500b97e8071
SHA1 44e97e1f9aa19fbb2b8f84a52ec72a280c065957
SHA256 07d2d64610e0eb8bb72643713e685082fe3cc1b52bf4b8962c9a7634d2afe44c
SHA512 e4d2e8e62ac6edf02acf6c776ed02b5e4663cbf50d768632d5f7293851a931b4e915e19c074a4db9bd76c83a564b7419b4fdf90c4997f2981e210d2782d4693e

C:\Users\Admin\AppData\Local\Temp\ooYw.exe

MD5 a822dbf2fa11d58c2b2847a66dec320b
SHA1 c908a575dfe339be808bf6f498bac63441239d74
SHA256 5db5a193c07fcb705711746fb8affbe99379fea24c8550c9030d5a486c7c03ae
SHA512 704f7d9c02b8d0ba825b30225e51ad19bcf535b301fc965fb1af8f5340cf14640f10e225dd9bca10cbbccc72b9989ecb50fe96b8183d126cef82174fad0cb21b

C:\Windows\SysWOW64\shell32.dll.exe

MD5 c07d53e9878d5de4918b5adacb59550b
SHA1 e5f409c7f7ac5c56c4b0e44beab50c48920a1922
SHA256 4e2af7a75cf776720ad8c55ad7be6080735c8d7c4a22fb7d6c6995e77a9b6f04
SHA512 17742cc41b54cb5116b22998b5d6f9ad1b7393a4810dc4d03634c0f561816ffc5a809f521b5268c79fd27e5292ebeb5e20fd0e444bafd540b4acbce5489942e9

C:\Users\Admin\AppData\Local\Temp\cEIC.exe

MD5 cfd219b70de3a2ba3569df432eafaa8c
SHA1 618591e0f0c923419d4f5ed9118578fedade3133
SHA256 6b6b770aa6c51dff63d0ca78f34f63d68db36bf82802f1fbf34812cf4a97138f
SHA512 568cb272b614e9143ac595ddaa806829f991b24f23482d21db86054d07eb9ea232f705b96fffb0bc2696f628b0b17c47175d79fd91109950f41c99e23ea9a35f

C:\Users\Admin\AppData\Local\Temp\UIks.exe

MD5 3b97e88712d752849b3da11bfb54277a
SHA1 2014f10f973bdb47fd976fc70e3880a83d278bc1
SHA256 248d82f8cda84fc07d500ed442d0f3e1169b90569731d8137eb2ea7bdb5b780c
SHA512 7971dbed2b40e89d6fdd471152059e2bacdc511bbad94ed2c086e7e22f99dcde680eac8c6e753446937ae6ea8ffc4f7716158898fbb2e952e4c7c686a5027c60

C:\Users\Admin\AppData\Local\Temp\CwcW.exe

MD5 aec37a139bd3577d40baedc12b476058
SHA1 4091490db9e65a25266719523eb11e2fbd579b74
SHA256 6bf6c2a7f8caaeea88fe102242fa93f589eca5ea006b5ec8d29eb61638f13cc4
SHA512 1e12961f5ca9354611f8de3c131bed428670256ccbd683b79559a78dc6d6a319af9edb1e6b8649c31cbd8f13491dfb68e24f48106a75c016008e57ec2fa6291f

C:\Users\Admin\AppData\Local\Temp\swou.exe

MD5 3676da3f62abca933a9fa654badf4614
SHA1 475ec59e363208482a5e8938c814de7de51a6067
SHA256 4d95aa2ad3cfed0fe0f85dbccbadbefa563f57ada8c613431b60ac0404b9c6db
SHA512 caea0424beb2ae6eceeb01f022711b5c455d0cac048496bb39b6d505b5935336153df64d49585a78048404529c49267660d37cb7420e9c0de20a4ee9b95ca491

C:\Users\Admin\AppData\Local\Temp\awsQ.exe

MD5 61b22d536d31dc985a8379a7c9d02ddb
SHA1 2faa350ba7f7e8a58e5c5386adbd7b4095c48466
SHA256 74ebede94887132df7701045840eb194475373b8e04bb9f703721f1883069d37
SHA512 22a7343018bda0f8835b792fc1cfba2dbb033122f731db1038f169a8f77f5184ee9a10d2697e0b2fa06ef86ed28486361132fa533fa377e46eda3d20745db390

C:\Users\Admin\AppData\Local\Temp\iUke.exe

MD5 b0b0c8f2eeaddbe8a5eb9c1f40e92c56
SHA1 7ee80084b27f8b3a7506fb9f8ce23599bb199ab7
SHA256 2b8be850e54b823a78f9b4e7867be3cbbb350ec549f8c3088f3b401465c79c68
SHA512 a38e89a4eb3d32dced5f8489e46d8449afb562684e7ae42e64f64da4bb9339249081660ee0c318759c174f3b3e64d2b1ce8949f1bba342b57b333ea0e7f8f178

C:\Users\Admin\AppData\Local\Temp\iwgI.exe

MD5 0380ff9ba180a0d034b601f30d68d299
SHA1 14a7313388d6f01b95dc593c5231fcea2dca7779
SHA256 a8f9d6948985bbe36959dadcf2269a5757dd4ea63739663141ffa810d931af98
SHA512 1464d72cd5bf12edff39c58e1a86e5b5a574c57ab78e8d162d9a13b31ac6c94aa5f08dd811d121c59ed49c4594a84ee89a9b405a7d63e52bca83353d44037970

C:\Users\Admin\AppData\Local\Temp\QAks.exe

MD5 64f103856d648dd457de34353d85a7f7
SHA1 b746320d5832caed50e4d2092b067d0104db1fdf
SHA256 9eb1562b552aad0e7e247b31546cc4aa1705f05d81bd0f99b9e772a979715314
SHA512 c56ef2fa63a93780a426d25b61d4cbadbeb6512078bbcffd2638994211d878093da3598c3a599a13b5d07cfebdc40e20df298d18890081e158c25ee3d6ddc6f6

C:\Users\Admin\AppData\Local\Temp\ocEI.exe

MD5 601cc2f26853bf39eabc26bccb4b7335
SHA1 0dd0a9219fcb38c336daea4698c4e926d67cb46d
SHA256 d7482b833a2f348c1b1daaf6db1072ca50edd3219db864b14c244bde3d9b7693
SHA512 f1f2e1770c86f6d97b33da0732ba3ed64016f7892db56b45de99cc94536fcec26f261e0cdf6dfff94eca13ea13b53d03625cfa25229764a8511032c3f6fa8c86

C:\Users\Admin\AppData\Local\Temp\WgMQ.exe

MD5 aece746fa2417eed024e64e66d6906ab
SHA1 623e6a4f05f5df65f06775cb2d08bec1e51145a4
SHA256 dda431a8e3b6fc511a3877a932ceda7c52e1ff5c3c2d0a4f66ad7d8fbba14e1f
SHA512 e7169cfb1b0f03eebf3e371c3174cb05a93fb8459df2db5d8bff6d86d340f2e19ad94b3e3c49b696e759d58840f36f909d30b6a31badac2c893c9dd28500faf8

C:\Users\Admin\AppData\Local\Temp\IMEQ.exe

MD5 f26c876bee740cf657c90663a6dddc85
SHA1 e5bb9da3ea578762ff948d089e44c1000fe2cb7b
SHA256 e869f15d1f4a5a5cd5a69b162365fad135aa4b59b7ff1528a634f1edc2887061
SHA512 e57140f9fcc37fda6f5b650d980ee8240eb65f2044bb86b9edcbe74e4736c8d5b7d42bcbb178cddcb76d26387e4e0f7236c353607e05ccda6f86647f29e3c18d

C:\Users\Admin\AppData\Local\Temp\WkkC.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\MQEE.exe

MD5 0c816ca5d78c75943388caac05e17a65
SHA1 0f596e4a04bc50c19646e7e222c32728eccc6e29
SHA256 fee0a0065a259cf7b200530e8e6b179bf8e4aeaa66a066f85998844ee64f6a6f
SHA512 54ed507f799d14e3a54a9a786e68e8d5b6334b1a9d2bfd168b09c58bff26ddb1521421879341878323118acaf3e4d7ca8d24cf2e0269e3f2d466fe9d1a902985

C:\Users\Admin\AppData\Local\Temp\oUEY.exe

MD5 48bab9f86527910805597c5e37ecac8c
SHA1 6f790e5e0442b78cbd75b7daafcba57d33b0e4ed
SHA256 5dbcd3b9831d93a5db3fba3c38fa956cca68ecd37587bfa1e341f3914de13151
SHA512 24b7cb5b5334d106057d8d8f67f2b8a6f25a783dd5172f59f4764e51a7b76064e7b31eae360477fe4628af4df06e3accfc6647e0ee698947cb73335651015579

C:\Users\Admin\AppData\Local\Temp\YgEI.exe

MD5 a4c23533c8cd9790775a781f5ba0f975
SHA1 cdee0c9daecf7b924ece21aa14dc643eff190a91
SHA256 eca3f2ad430794ca0fada73db25bec0457a73abbee70808fd3af7d706679f0fb
SHA512 98734763fb9b915022e1548a1910cca26dfa95c95efa43ca04564a1ca03f37bd6cc41f8a722576b2a157942babc8b89fd07762929a6d9289d83af1858a9611bd

C:\Users\Admin\AppData\Local\Temp\KcES.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\oAgE.exe

MD5 a94d1e9f3cdd9c86c9802df9f53a5356
SHA1 2f6339cab9a5978316d435eaf9133a981a5ea6d2
SHA256 d99da1aa4b6466b067f28fbbbdfbcba7bd59898cd5312f877c07f393f92db335
SHA512 28d89282fd8b2cf65e518603a8b004e80ab849f6c1749daba723447cd880d189fd4428dcae678d56bcc0b4fde107565940f159bd91f20acc05e5952237578b7f

C:\Users\Admin\AppData\Local\Temp\qEMG.exe

MD5 97f7c7dd4289d97aff18cd8cc2e6afea
SHA1 85027af582ceee3a1dd07f8c082ee9cd28d43dbe
SHA256 ca845a60dd8c878f62dcd09679e46c1a5b80841d5cd232ade2dc796f09e9e408
SHA512 56302e1e00ed01162d162cbe940958357c137852d8b15d6b90a3662f01ad7ff5869c2f2923c086896b0ac2c71193edbacd3be3c4438f4473876ea8559a4588b3

C:\Users\Admin\AppData\Local\Temp\OYgA.exe

MD5 9568bb2bc3b6c80d5b982ef619210b0c
SHA1 1f0c2a4c4231b0f0ce22c962976aa11068f1fc53
SHA256 6990d716647a52607c355004ba84667ade71fc12fd602c77a4b0f32b586df818
SHA512 1dddd3f71e17c9d2802bad11aa2d13037059f49018f570f4364bb502e1053da190e56ddb39f30ae74ad3b28bc937edd54196417c887ffa5c9abed83cdd7dbe86

C:\Users\Admin\AppData\Local\Temp\wgcU.exe

MD5 467305faa56c8ad809bf6795817e1ea7
SHA1 b12f8e4a9ac2729685e5d3f9583930d0e8a7aeab
SHA256 990e375f2c06a14ee5d9df878b5930bca2afca7176463d5ec9eebc350964bca7
SHA512 db5df15478e7c810da1970ae83d163d45da50c584926a638dfc7f6791a58f627afa27c06b4cc3043eff40431578863ba344c5dbc20341040921694f163c7937d

C:\Users\Admin\AppData\Local\Temp\qUEo.exe

MD5 2c6763aeb8447257ee91dd647d368f5f
SHA1 efbbda9e3f32e3b7513a7644ccf9b6aeb576f571
SHA256 272d2edb68eb543df6e0d274699d6f2b0415f6418c4d12d0a7948329d9d0adb2
SHA512 f07e8fac72e147a8bdc8c06a356c318eb4f7f21dfcb8f8a98d607cfb0717d4d867f3a3c6822c1d80ca69f518ad14476a9bbbf49e4fda5c5f309502464e5260bc

C:\Users\Admin\AppData\Local\Temp\yEMQ.exe

MD5 1bc75bf82287733977457c33d97c169f
SHA1 afc7801fba868683721eaf2ec33744440dcdb86f
SHA256 a0fa12a44e0a068f604077e0d2afd82079cb8755936a86ca694a3002ee4bc06b
SHA512 985a93f716ddea40a8127c4f51217b3fb5917af0d14a59fdf9f1c84eda37f3bc9310142d43fc2a6bcdfd297b74a03a8e761f44ef537418ca939f95670cf019ee

C:\Users\Admin\AppData\Local\Temp\usoq.exe

MD5 a95de61e765dd0ec0ff81261effc80b1
SHA1 822ec3772d3dca425bf4fcc5845c8c27201a310f
SHA256 2b29a6f76afbee0d03a7b22d769603d3dd2daa22e5649fae6223ecb0da552b37
SHA512 0028cebb1e1121d001bb8e37fd1b7f660eb641f8300ca193f0c9b53c2547a21cc5c74563a127ccfe4387e3cd60b8f06f1c2289ca92222dfa249da8d0153fdad7

C:\Users\Admin\AppData\Local\Temp\Kkou.exe

MD5 18ac2e4db183662b0f18fd7e357205c5
SHA1 a0c843b22904d2eb9e846da3ea29f5c52e16cb4b
SHA256 a7b43ffe37a7242cf5b832719d68568298a8cdf183b66e69bef3e95099fe1df9
SHA512 44a9553c960c0905409ccc2076301e4937df398ebbbd2fe24270a3310d584f03f6ef9aa1519f88226246c97af55870a26c3861d9471a6bb71e42fe29c4c6b8dc

C:\Users\Admin\AppData\Local\Temp\IMcO.exe

MD5 20abbf43f8069e3956a6b0019e60716e
SHA1 8a14fc5abc2b73eeec2bb8cf0a19b3dda8bd3807
SHA256 6a8621842b4dbb2b37d2b5d4b20542af7700c1110993542bd60ece4c73c0d1aa
SHA512 a0d0c28119d691a851c55b30c635966fb0bd73cb40a224297af28201e2b430af17ec6d6c0cab7a79d17d7ecd19856ea6fc44843cd1c2a00d253cbef346f97bad

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-02 07:10

Reported

2025-05-02 07:13

Platform

win11-20250410-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (86) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe N/A
N/A N/A C:\ProgramData\peIIkAIk\uioQcEUU.exe N/A
N/A N/A C:\ProgramData\peIIkAIk\uioQcEUU.exe N/A
N/A N/A C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCwQEAYA.exe = "C:\\Users\\Admin\\xQUIoMEY\\YCwQEAYA.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uioQcEUU.exe = "C:\\ProgramData\\peIIkAIk\\uioQcEUU.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCwQEAYA.exe = "C:\\Users\\Admin\\xQUIoMEY\\YCwQEAYA.exe" C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uioQcEUU.exe = "C:\\ProgramData\\peIIkAIk\\uioQcEUU.exe" C:\ProgramData\peIIkAIk\uioQcEUU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCwQEAYA.exe = "C:\\Users\\Admin\\xQUIoMEY\\YCwQEAYA.exe" C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uioQcEUU.exe = "C:\\ProgramData\\peIIkAIk\\uioQcEUU.exe" C:\ProgramData\peIIkAIk\uioQcEUU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\kYQsEYwY.exe = "C:\\Users\\Admin\\UygkYwsU\\kYQsEYwY.exe" N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NOgUskQg.exe = "C:\\ProgramData\\acMwkAEg\\NOgUskQg.exe" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe
PID 2504 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe
PID 2504 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe
PID 2504 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\peIIkAIk\uioQcEUU.exe
PID 2504 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\peIIkAIk\uioQcEUU.exe
PID 2504 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\ProgramData\peIIkAIk\uioQcEUU.exe
PID 2504 wrote to memory of 5828 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 5828 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 5828 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5828 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 5828 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 5828 wrote to memory of 3500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 2504 wrote to memory of 5932 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 5932 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 5932 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\ProgramData\peIIkAIk\uioQcEUU.exe
PID 3308 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\ProgramData\peIIkAIk\uioQcEUU.exe
PID 3308 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\ProgramData\peIIkAIk\uioQcEUU.exe
PID 4560 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe
PID 4560 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe
PID 4560 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe
PID 2104 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2104 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2104 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3500 wrote to memory of 5628 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 5628 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 5628 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3500 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5628 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 5628 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 5628 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 4372 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4372 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4372 wrote to memory of 3948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4932 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 2992 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 2992 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe
PID 4932 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4932 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4932 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4932 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe"

C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe

"C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe

C:\ProgramData\peIIkAIk\uioQcEUU.exe

"C:\ProgramData\peIIkAIk\uioQcEUU.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\peIIkAIk\uioQcEUU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsQAIUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\ProgramData\peIIkAIk\uioQcEUU.exe

C:\ProgramData\peIIkAIk\uioQcEUU.exe

C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe

C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iesQIwso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GegwkUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUAUsYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWkQMkIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGcggAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqUQIAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOswgkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMwsEwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keUkMcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccYkscII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asYsMgAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOcQwAME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqQEUEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmUsgcsw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaUIsUQI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuosgIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUYkcEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqQocIss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMoIMAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIMMoQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYAogMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmoUQsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGAckwUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KusscMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAkQMYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcEskkos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwMEUYsU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeUEgwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boEYkwMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqkoEEck.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEMYUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muQYwsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsAUkQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsoMUEgY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUEcEkkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuIwUMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIYUUQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCggAwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgcMYowc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sggAUMko.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCAooYUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMgEUgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEwQUEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsIUsgcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\risEUcYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAgcQMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QakAUEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOMYogwU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcAcEQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAscMgsA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIgggIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGIooIok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsogEgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEQYMcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMMYgskc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUUMowAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoYYYIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmkEYocc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmcwAgEc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAIYsQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWkogEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWcIUgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsoMAMwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGEQcgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSwUowcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCUgooUE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JekoUskk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIIAEIIY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISMYUcss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyosQIcE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiYkssYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyAwAgUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMYUgEok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMIccEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUcoYAgs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUsoEUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feUgMYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsUogAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQokosIY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqosMEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQUwEsIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSIEgwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmUgEUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leIMQMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCwIMMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWUEQIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqgAsAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYcEUMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqIEAIws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEsgwcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeQcMAYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgIQAoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsEEEQIY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GekMgAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmMscwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMogcwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkMsIEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwMscwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWUIIIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uugMsEUE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWMkkUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAsYUwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcMsMAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGUQAQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmcsgcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKwkMQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REMogYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmIQssEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOYYMsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkwAwgYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGAYwEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCYIYUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSwMUEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUwogEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkckEkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smYUIYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIwwwcAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImscEgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vowUQMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jokIIAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOAIgMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwUooEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICcwwosY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIoIYAss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoQEAEIY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bogcccUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byYocYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgUUkcIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iocQkQAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKsAkkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuoQwgMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQMoggck.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEcgQEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock.exe""

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
DE 142.250.185.174:80 google.com tcp
DE 142.250.185.174:80 google.com tcp
BO 200.87.164.69:9999 tcp
DE 142.250.185.174:80 google.com tcp
BO 200.87.164.69:9999 tcp
DE 142.250.185.174:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2504-0-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\xQUIoMEY\YCwQEAYA.exe

MD5 6a57c82517148655de53b75ea20d9fa3
SHA1 9a480d1278e5659dc56546128d44961bc5f30d1e
SHA256 de385af23901bdeb054b1e60d1040146de2634e0581d4496cacc19a26aaa62b9
SHA512 784cd1b79e6941f7564403f761fdb654670051b8b6b58275de6be0e88d35eac603f310f7c2d13d3d77908d942138e989c2d043ef26c21fcacc3e338da42ab5cc

memory/3448-7-0x0000000000400000-0x000000000042F000-memory.dmp

C:\ProgramData\peIIkAIk\uioQcEUU.exe

MD5 46ba0a215df3ab84ccad2915a6156883
SHA1 5b96f059c859d3c2b263c361d8544f5866315977
SHA256 acc0a144b5993246f9cff61fd719118e495bcbbefb49bf00e3dad05b2ce2ec92
SHA512 8faf9e5d0fd9fb25227e88260bab8586c071fd8dae3e31376a0e9ba958929a0159551608f7075d00a7edfad0820e647e0f38d7ba429eb2ae702b6929651efa80

memory/1156-15-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3500-20-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2504-19-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5008-24-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4996-26-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PsQAIUEU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c6ceb7c90e70cce7782001a3b7a488_elex_virlock

MD5 908fa2dfb385771ecf5f8b2b3e7bff16
SHA1 1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58
SHA256 60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d
SHA512 573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

C:\Users\Admin\xQUIoMEY\YCwQEAYA.inf

MD5 a221ed337a5f761276964893039b8a77
SHA1 f17d9d734cf4c377a703bf1f7c6506ee1771f8f5
SHA256 6cccab2d8d0343071dc2d346d6c2f03d3dcec03710fafc5ac70935ae9741d9dd
SHA512 5eba579ea2cb2b73b235dcf7ab119a4b0f9f66512ef8fb446b6c032696031b5fce0575d2e3d387cca97ec049d69a5a82b577e767665ef307cd56e5e95c8e44ac

memory/3500-41-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4876-51-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4932-55-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4640-66-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4876-67-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4640-82-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\xQUIoMEY\YCwQEAYA.inf

MD5 94d14b1b2c6ee0de22b25bde4da1dca8
SHA1 43f404b1f466cb40f2623b04f18f9980e895b54d
SHA256 f0866f0a8f68b753733dfd5b6720409dbf8b863324ebee97b36c07a11f81b80b
SHA512 29b205171590342b06ba4207669e8e4eed96e7597afa814aeec9b62247a49597c5e11f5fd04794f8a7db55d23d4930c01661be9a7ee57eae9c68a69e82edf33c

memory/3100-97-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1940-108-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3404-119-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5476-134-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\xQUIoMEY\YCwQEAYA.inf

MD5 79cbf44645c5e29ba8868c4f958a27a1
SHA1 b89915bbd02d0887ba5f1a388d61ca5cdb883fa7
SHA256 f7b12fb25a15b426486de5a9c385fc2001a058ceeaefb8d9e0c1a772b461fd5c
SHA512 7b231fe3ac47086f21e71cc64c6bb8574fdc31bab489e4fcdf453d9b1e4802b65a4c58a69c6a37805f0fa31f69cf3aa4a1b1756d9cb458e8644ad1db267b07fa

memory/2092-149-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2104-160-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5432-171-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6020-186-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1336-189-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\xQUIoMEY\YCwQEAYA.inf

MD5 b4703a27fdbdf0a961a7e652cdfdbfde
SHA1 999b6f7a94dcfa43b8edaa14db35e9cbe4c88dee
SHA256 d927647f34207ca961e4bffff1f4ffa47a4c6976640eb7f61074cd628d530027
SHA512 204d1013f6daa5854bfc4d354091ca06d80b19aa5985f617991c57ec9b2689e10846e54c60b149cf378788dda47cb72537b9ddda17439c21cdbefdca8bfcad24

memory/1336-202-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3996-213-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2940-223-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3564-233-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/896-243-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4900-251-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3496-259-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6024-272-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4436-271-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6024-280-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5468-288-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6084-298-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4296-308-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1440-316-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3860-324-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/800-334-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5628-344-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4932-352-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2020-362-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2808-372-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3320-380-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5336-385-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4720-389-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1488-394-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5336-398-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1488-408-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2344-418-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2232-426-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3316-434-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/960-444-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2824-454-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2776-462-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/936-470-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4844-480-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4820-490-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2756-498-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/456-506-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4460-516-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5576-526-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2396-534-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3400-542-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3920-552-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1936-562-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/6104-570-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/336-578-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/920-588-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4900-598-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4328-606-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3084-614-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5640-624-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/236-634-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/872-642-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5336-652-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5596-662-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4524-670-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5536-678-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3016-688-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5728-698-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3704-706-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5328-716-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2884-726-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5888-734-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4148-742-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2676-752-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3396-760-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3448-767-0x0000000000400000-0x000000000042F000-memory.dmp

memory/356-771-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1156-776-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5868-780-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/2828-788-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/5008-795-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4768-799-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4996-806-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1016-810-0x0000000000400000-0x00000000004C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sYkQ.exe

MD5 182c03ddd4237586170cdac882eddffa
SHA1 5e3aa313374e77391a04819bfa89f5323536cdac
SHA256 ef878bf5ca47501fa6cff0e0cbacbfc07ac0d3af7640c0cc33f2e9bba397934d
SHA512 3bb18b6d68479ba469cc7badbd3caed9120cf402fe926826c8ad235dbdb0ca426a160f54b28934a3e0d30c20d8a6f78c4a51fc19ca1e34560a9aa04c3f512877

C:\Users\Admin\AppData\Local\Temp\Ykss.exe

MD5 b301409dafbd775c8023ef8fd9e7ec01
SHA1 b9081f0facc6549dba04f5d54b1a86abd5b06c8e
SHA256 0d7481d04a171723ca16c441611a82c454c79949eb5164e66bb14763742de66b
SHA512 94358accbfcbcef2c5d2c5f802423600856b61405d831c6cd1c7277583dd069665cec25d604a9060d08f1c33ba228eac510b1529cb04043b4bb855962961fe4c

C:\Users\Admin\AppData\Local\Temp\UsQK.exe

MD5 7f6d0250e5ffd088c673b70f23c7d642
SHA1 667e1f30c75db8490a9c2907ed2f6c006f0cdf3f
SHA256 3bf401355955e63fb4a3b42b1e5253ec82e18dd8d2336fb76d11df015a3a31ea
SHA512 ad005ce5bd69ac1731f9563fe2501bc90ff8ce4c24c5b83338d3a6cbea9b09a827bef3f0a2dbed3bcf3327d6d0588dd04dd1aeb78b00d3efaad43956ed179688

C:\Users\Admin\AppData\Local\Temp\moMe.ico

MD5 9af98ac11e0ef05c4c1b9f50e0764888
SHA1 0b15f3f188a4d2e6daec528802f291805fad3f58
SHA256 c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA512 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

C:\Users\Admin\AppData\Local\Temp\iAMm.exe

MD5 f4f5b44c9641698623e22c25214591fb
SHA1 fdb4dc6c14a6c269e62fbaf5ec6f4a87f78e595d
SHA256 d938adc3cb5d1a4fd58c2aa5d4e142a3eb614e4af475715977a9ab90b0a5349a
SHA512 5c0f842666bcc66bbb89b624bb434ab9eee8e32e81cca5e972c43312626a79b6ab6f3271c1237560dc7cb3b30c213447217069b8ce3a550785d812c776f0bbab

C:\Users\Admin\AppData\Local\Temp\acYe.exe

MD5 bd6a7802c27a6347ef6600030b934cd9
SHA1 23d94ea6e094f172bd66727883c6b416cc5b7bdd
SHA256 9413730116835bab8495eceaf8136f2d96d1dfc0d2e5db768c2ca15af6e373a1
SHA512 e235855931f86930bcd2a1c5b2392132747b658bbc96d49180cbfe73f8983290742e0ef38c0abf1ce06f483371149be3d3ae1efbc84e071519a09097d5947689

C:\Users\Admin\AppData\Local\Temp\wwEQ.exe

MD5 14dd532d539a12d01c18b81b39cd5d8f
SHA1 c0c036530b7fe8173886911565c0685e1c865ba1
SHA256 8a1245536466a616e1528007ccdaefcce806bebc71ff56a68b76be618627eb4c
SHA512 43d1b7d2a20e66f65d6f84dc1e3fdaeaf7c7eff2d3403a7a44b05b4015017a4a26a0f90da335bcd8a62eab1deae073274fa8dcef23c66a3f21776c48508812ba

C:\Users\Admin\AppData\Local\Temp\OskQ.exe

MD5 34516fd20c3994f752cd4c2a546df8a4
SHA1 34969f653f3e6dbc5337578057d2e900ac089794
SHA256 5c54ac4b6ae509fe52ead1734c1d6e786691db1cd857158ad581787022cddf4d
SHA512 ca21acf45626bba398396a77366796338d252c539939da9f2e3fc5b378c8a6fabefe23473b72837f86ef62e1078160f515ecaf8e86c94c06d3b1e4113b67147f

C:\Users\Admin\AppData\Local\Temp\EMgc.exe

MD5 a1bea17e8657e8f6f0cb5d143d8308bb
SHA1 1fff82333d949a6cac7f770d8edba63298a6fc4a
SHA256 e68fa7bcb5d7380011cce0f2af86b0ab774df940c0f394d568ebc03c370ba4e5
SHA512 06f6301279c682e2edc04356a82bfb1e16623ac3eebfd3997ac43291227762afa0f4700a9a6e774a4136ddd269e19407d3012b14eea08497709ff3b37cb8859f

C:\Users\Admin\AppData\Local\Temp\uAES.exe

MD5 7b0577248db63384f01bdaa5d5ddb6fb
SHA1 c389a6e7e3a5983bf27b4a8c0be83f64c0bd03bd
SHA256 4f1bb04f93f5118a6af785c4823cdf9133389d09aa8643cec7de3267d530b75e
SHA512 1dc95c07cc3aa724b17cb1ce00e1e418576b18bd6b93831f02a5c1aefa99dc364b954cc5d845a1b1b3b16b5d72ab45ff10b9e8f35e298ae3447592430f06158c

C:\Users\Admin\AppData\Local\Temp\YoIq.exe

MD5 a8f48c7442214d702ed162c603430608
SHA1 9521458de4d8963cca7b6949bdd345a394a82ae4
SHA256 094d6f4e8cb80fe68d16c88f16251d0b287b5ec7dadeb73aae8f18fa45564bb3
SHA512 e3e579a23fd179eb304a50da07f05629d02e9c4843501814fc2f22a210500a011844384ee0dae18f96e6e6c811ea68c9151eb6a3a225c6d71388fc69c001d0be

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 0be1ee1304151a496d1de1d626b4d826
SHA1 61ad422dade0ccf696c43e62307867556617a193
SHA256 5c19c7e10c31d9c7e0e4540b0ab0b33e0f72b1fd9240dfabbe998ea3bd089665
SHA512 515b116baf6da9188d9889c9c5951d7a49eab4954dc519c7cd9373367f1fd735baab9194eedc4abd928ba50ecd58e24abc17250f796e6d0a1a566546252f4ade

C:\Users\Admin\AppData\Local\Temp\Gcoq.exe

MD5 f3f0f4abd7a27944ed71969ec1777aae
SHA1 27589c42882509e57b9eb8b08bcbf5f14c75ce5c
SHA256 aa129b1e48007abb0bdc463f5d78dda556586ba5ad7d98ecf12970945e0728a7
SHA512 6dfe0a6543c1243a531db929b97458e9a94829bb37b4ad357037efcceb79cc2b9266263c3a26aba8872881bf1015d017c19cfad62ca25031b28eaf3d1afbb79f

C:\Users\Admin\AppData\Local\Temp\uQcW.exe

MD5 a060db1b6998b2152ef82d340009e6b8
SHA1 4cf9547e756712e18021e313d9d6a2a3b4851a7d
SHA256 977e7dc30f5fadac2c7d7d0315334146b709310688018319feabc7bdfe457e69
SHA512 685dbddfecc1cbd443d2961280eefa5aa33356a234a2f1698e3590a04d938e1486c326c11330b99b05475983c925ae251c3e8a2d8defe5331412ce67be73fc9d

C:\Users\Admin\AppData\Local\Temp\AMQG.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\CoUe.exe

MD5 995053b2dd1bec63ab7d436b0642c8e1
SHA1 4a9cd3ffa6d20be946f4dcfff8bef6fba4b7dec7
SHA256 4ff63ae2e0e64622487c70585bce2ccd75c717db595dbbe6c790efee94f9e5b2
SHA512 5f6fd473fa87f27952764491eb8a8ec80d1f1bf804839584f6e9fed197b90ce6e297314074335a8b766ade793eb1084b97b8e90925e6ab2c9ebef0757fccd9a6

C:\Users\Admin\AppData\Local\Temp\qwoO.exe

MD5 ff7aaee8eaf382c27d3f1cdf3b8c1451
SHA1 52607175458a98b7b39409d50e0e175af5b46c5c
SHA256 e41c52f574302c5813468445dbd9f70f593c5624d8a5b2b26a3ce51b0a7488e5
SHA512 faa01d67bcc7654bce7c796753097af851819bececc1d6830c40ea9b405bdd62f0b7e70f25118a25798dc2db0cb2f732b486744c8b97fd43d9e7ff20b6bf6841

C:\Users\Admin\AppData\Local\Temp\iAAm.exe

MD5 c8d5e3d7d9e165d4ec738d07f214acb1
SHA1 ec0d137bf48dd6929dd97c92ad3646233ef98b40
SHA256 32ad5a0897dd48779388e03e6e9ba30b3f259425ef2a9627c63d6a77e5947c06
SHA512 c5747d6e20eb36011e1c5f86599c17ae0a62b821fe4f9b37e11c3b211bf51459861c3b9e238505d8e57ec0e433b6e1e86c3c2fbb55251209024f3af21f75b9c0

C:\Users\Admin\AppData\Local\Temp\KgQy.exe

MD5 23d39f5339a818722ec1b5618ccf8f3f
SHA1 cd470d319e1cb7522d6fbfb713b6ef19e0f23b32
SHA256 d647a939b421fe1b8ac5c7e2ab302d8fa8718af78f771a5dc3d8523128a52ba2
SHA512 00e2e41372dd9d081cf3dccdebf93b1d162146dbc2cbc477721f3fd62fff1c622208f9db240b7b70a11fe4aa761e5962dbeb3303961f28b67b27cb7480a12551

C:\Users\Admin\AppData\Local\Temp\ygME.exe

MD5 55e73ffb6e0e067c665bb800cc3fdf20
SHA1 60fbf548bc8e237a854e680e4f5f9671a3189a8a
SHA256 ce57e779058e7f3deab97592a68d855345b6539f4e9cba3071f13e94a820987d
SHA512 afd8fae61ee806cc4823e7ae8e6ddc2aa22aba21b9e51bb82517ae0cc261d4c00d70f7255ca479ad028e20dd716e8a0f9afe327344766579efb4edfcfaf4ddbe

C:\Users\Admin\AppData\Local\Temp\UgEM.exe

MD5 a48e55a12fc1ee317c9a4f4b5bef70ca
SHA1 40adba40be96865d2dcbf7ac79b76b252a6f5d35
SHA256 297b25bc84c8c5267ccab13ae3a0b732153dd0feadcd9ca465c074597477d10b
SHA512 5ad703dedc91e728c2c3dcadfce625d4b4677d24f7f3e0ff214a35f54f886002942bc2e8ea5586169a28078d51c8189ae54b8e01ade2d95f6f6ca43f3311070b

C:\Users\Admin\AppData\Local\Temp\kckc.exe

MD5 02e6047ca02c324dbcc24868d1bd76b4
SHA1 bb128fa2948704a0193ff6c9a741e33b8c610208
SHA256 1b739e549961d6b92314f9163f71ff8621ce2b23134209c398bf21bef29dea75
SHA512 390c0045d46980981e3e7e3bd60a120b3eac4f4b81b940baec90276c5dbccd5f8d49ca08f94b4d11d3ec36ab2b4004d8a403becc9b133add8dbe221c0170a9e5

C:\Users\Admin\AppData\Local\Temp\iQIk.exe

MD5 5a5ae89fd03eb20f4711351ed63a182a
SHA1 31aac9bfee6904f2283f920397e9430376f73d91
SHA256 ea1e0f3b76783c50906fc7f54c48b5d548abfeadf5c2adeb0ae72fe49e409e57
SHA512 a39e154b1c891de379ea8ec9940b22e6fb2487d14e4aa4e4b346d5547dea09e1a5a6d6f454d64c44573436dfaca96c166a77483b38cd7387b876fa5ede0769e6

C:\Users\Admin\AppData\Local\Temp\oswk.exe

MD5 8998e144131c997c6989f60ef460bb6f
SHA1 aa9ac3d72d990156bac44706354438856c531843
SHA256 0cbe44ab28f0653fd85bf988a118c27eac67d22768639459c9f75c5093b13133
SHA512 4a99d2cdbe0697f5e09a4996735631058dd020c58d46013c4e2fd736a2fb275d7f7c8b74668be8e5b25a3c22dd3781b7ec16b0efcae2d4c25fb37b4118ca4033

C:\Users\Admin\AppData\Local\Temp\mIQM.exe

MD5 60cd1b8f2e793b43e4da2e6cfd7d9e25
SHA1 3fb2ec7bd9f0e272156b076bb8b73bed81bd3c17
SHA256 58449a220657b523b8179c60fe20a5735513776b341fc136ae25edfc98426f86
SHA512 c8eb6ef4125cb8b22cb49b4ebbcca694fa7f5f1e82d8a49bbe1faa7c0a97f3336368fb4e691f2440861bc5a170f1a00188dfd0c402d87ec880f359534a12f74b

C:\Users\Admin\AppData\Local\Temp\ckAU.exe

MD5 20d2d8720a7ceeab3b3395071bfb234c
SHA1 59813fb17e5d6c630466d48fbd681b5cdbed6a06
SHA256 c8f3c7b82c3ad7a8453a2c51512447bb5668b713916dc6c762049c6e33a78a88
SHA512 d21de005f74bcd8c414f387d5bffc2c9abad000b5fef5ddbf4c99e31f156d2914a575d7e568ec55bb725bd83451146528924c02cb9c77eb5c0ed7cf68a4bc3f6

C:\Users\Admin\AppData\Local\Temp\cEcm.exe

MD5 8a4bf6583b9f829a473e6fa11bbecc63
SHA1 5c2aa7577b0ee3e3212fb44127ae5c491560d3d2
SHA256 f364dcb569c61d29458a6a17d00aeeb4b42b7591199d860f4251f7944eed061b
SHA512 c92b7c60dec256119f0695862ce3d883197750280725d5010c58864d5d772ca67a181d512cd5f032584b7b21e9cc0bf53311b41be0fdb964118348b2fb821f68

C:\Users\Admin\AppData\Local\Temp\iIIM.exe

MD5 f5618a229ba33468f3694dccddd7df15
SHA1 8e36c87b934810efac1c2dd6dde3fb09a14a5978
SHA256 9693b0f324f997720a6f775d57cff9cb65316ded44e6c67bddfd61c1be2b6d32
SHA512 f8f9e2423b27700fe8555517acd9acbcbd85ca3a27397b50a290d202fe13a171e15f79f4d44de5c1c1a71373e1e392a2eb6967c4efd1d0612a5bd63c7f3e4fcc

C:\Users\Admin\AppData\Local\Temp\KYUg.exe

MD5 ec3f4b3e47e4de271a47783d64b43a90
SHA1 28c5bee57b41f8e40bc350e1eca6a6751d1e3ddf
SHA256 b4015c38896da3145a1e1d749e43133a5c74e39b52f59aaaa5d48b51915a475d
SHA512 f95385403d4c71aacff71c54b4699c93b40732f9840b7d486b2529add186b25dd2d87d1d78bdc644b8627d87b98c84f928dc8a38e021a73862f988e90bcb159b

C:\Users\Admin\AppData\Local\Temp\KMoY.exe

MD5 aa8bceedd27ff0b13022bd3e677b9405
SHA1 bba28d21484691a41716a407d294c09c4231b6e4
SHA256 975f99926a663fa321e7fde686f890216726e88a58aaca980ec057db7569534e
SHA512 34e3c59b59579510ac591d5c5591d8aac3d7dc97488a24078b2ccadfb78a9af65faecdebd2173e8a7447650ffd4b803f5a00dd6c225c25bd6d1696e5115d2f01

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 f5d10128f602a532905a61ee394825cc
SHA1 2dcb67aa43eb9d0d80219985580029c5704a71f6
SHA256 9f0eb2fee46f3cda65c5f7dbd2bc66bc3fdd5ffa6eb0ca46010e9d4084e7137f
SHA512 93d3cd3a69374f4206ed1dc225eb16aa7b0a53e0765cb7e85d3180392a9085a86ec554d737569aef1b42914aacb90d99a81866bfa03c84934554e5aeaf1e9f74

C:\Users\Admin\AppData\Local\Temp\scgm.exe

MD5 8d60476ace125766106941d5d70eef93
SHA1 1c842bfa9b566192855cb7e23b7d25e9298f1787
SHA256 06f97245a9a5699c8a8603b3e9a465251acf3a3a0642d2e443f09c4c09dbc28a
SHA512 986a8ed631b3c2a8a123f60b4764f034a9c2d6e6b12a92d53481eec9f77076a334e0164ae78d64a37d3e0708e0c54e0d52f813530b557b9a1fbe828b1c234863

C:\Users\Admin\AppData\Local\Temp\asQc.exe

MD5 d90369b19667fb37daf51ecefd7474a5
SHA1 837620ccb62086d220a92059aa7da7c5d739206a
SHA256 1adc559c464264247a3f3a67ffc16af73ffbfb64ecb88aea9effe693d463e026
SHA512 fa6c7af23a1b55364f5e018ef59df89233e5005b167900f7379f442c1d3b37547c23458c24a2e4de90db6d50c87164e4ddd9a97fc8ba7dbe39005ee7da4c5387

C:\Users\Admin\AppData\Local\Temp\WkcC.exe

MD5 d004b2f99acbc30488034dab366d313f
SHA1 2ec685901aab79adf2943b5e8d5be8fa36a69be5
SHA256 4703fc52bc2c7ca855a141884f6d690cb67d7c44ed491f859aeaf89bea1b8819
SHA512 75be00b11db81ae279254ff313bd886a2760f1ec27202b8ce931574068fb5633e094f58eab9da067378220ed569aa72fb1b43100ecbe30e1acd1e2d3a8badb31

C:\Users\Admin\AppData\Local\Temp\wMAK.exe

MD5 b1fabf9fca2ffb2831f98b7c2d96cda6
SHA1 0300a39c2dbe72f77fa5f8be7b3ec2e679dc7034
SHA256 098ea3efe60dabb00dc047557776afb29c535c2306c554dafca71a571e280cf2
SHA512 5c22bcb1e0508ed2f1410c93125af393ecbe2f5b687780f3863006dc20fa888cb1d6552aa5d99c9b005143d60538ca686a52a9e50b195c576ce0b90a54d880ef

C:\Users\Admin\AppData\Local\Temp\ggMu.exe

MD5 10ad6502c9c3a154c90e6552bed53ca0
SHA1 731110a0f4406428316065bb7473e01aa5b69e32
SHA256 02f96dc9e583e84a0544ea05981e42d475c14448d72961ff15619678e6235de0
SHA512 738c150d29a877522d995ead2879f7c63823f212469a0cfd6af9bf082bd10f49710e2bc0028b69704a8b1b8184ee334ae7a1101de82373919deb5a56f5bab4bc

C:\Users\Admin\AppData\Local\Temp\uoMQ.exe

MD5 df1f0c3de03b0f2d355683b7fdb86616
SHA1 9c12c32e308742b5caee7f2a220ea90f8fdf4bee
SHA256 e9062accad9482f1abd74bacddaa6cf4011ca68a8922b7d3b7fc2130731e8904
SHA512 0d0ee5e03cfc04ac7b08ef05ab7e56416faa37c0abe1f28d16c41eac4b472dccd663739ea0de8339fcbfd6107cf07eed6b198a7a63e44e37a3f35174409b00cb

C:\Users\Admin\AppData\Local\Temp\OIYm.exe

MD5 cdabd96cdafdeeb2e50380970e675772
SHA1 b30fd57a07f50254c6adf0a805fdf21d0842727c
SHA256 92668cd2a9e487c62a1edca9ea1b4aaa0622b0a58f6a3bd66fe7df1d9e80d817
SHA512 11073bf8f4ecc7708649a70846e4e3082e42c0ea9f17df683e517cf87d735257c220640a5ed33fb7ae3d1b0e40b1d0bf4145d79d69aeaaf66ea8412bd7cb9903

C:\Users\Admin\AppData\Local\Temp\cowu.exe

MD5 b6f7b96656df45cabeadd87ab4223bcf
SHA1 d67fe2f25b58f86b219d93937c9aa58886287661
SHA256 2bcc21db2b22a9a6e698758d72a504e65f162dcc4c67fd3683543d68d07a8344
SHA512 2d20ae80acc1d16f5b6980bee7e192ad744e6180a56f3ffba1d64da711031dd35ab24fc6b3721764570c0a95e3b34cf0f1dbcfc40ee84c7f590eb79cad95f45d

C:\Users\Admin\AppData\Local\Temp\KAsk.exe

MD5 261633fb19d0b07350a45954d1b1a9e8
SHA1 b06ccdc698d88479df1576f26f1ef7bc20dacc0c
SHA256 fee431e8aa31086d5b0ca2af928d85a789217088ddd88faf91241dc5806096b1
SHA512 0ab3c3794f7edf130591b332bed0d887c9c9fa7f8c864e2641752d2c79f30c07d46509815f86024a0acdad46d3193c2d003ef24c89f53475185fc0c8275c6975

C:\Users\Admin\AppData\Local\Temp\osQu.exe

MD5 82d9264b2e8dcf01128c58e43a9db385
SHA1 ef151a2158aca68626a95e1710f785317728fecc
SHA256 04a17ded975f72b1942689ed5594ccff6abcb074f4bf05aa8abb7a52f02bebc8
SHA512 13dd6a16f9d40f2dbe9e40c76eb0e167eb2ee08d1b5a241c25dc9f3542d81231b541f5e66bf9cdb402368ef5fdf320b1d12ede15aa9103cbbd730170343aceea

C:\Users\Admin\AppData\Local\Temp\WgYY.exe

MD5 87a1a5f38438c8ca6550e249f95ee622
SHA1 dd53d766e66bfd652f0791a46dbb90d426010db2
SHA256 c3a7432584f4a30ec1b944b53ba9d1fda747373cc8c8f8924f6e9e54398d1b88
SHA512 bb037e71e62e69c4c36d4fd7953169368e2afc289c6fb98c10801b1a736364699d063174ef0a8da583aa9c0a096913ce50d8f6e824fb49cdee2d2cabcb6ff52d

C:\Users\Admin\AppData\Local\Temp\Igcu.exe

MD5 a63c6424e3f0006bfa107bc34a1a5f3f
SHA1 4ba22e00dbfb7effd6795062b6ff3a6519384759
SHA256 98f7983cfe5c5e8c94d0879279c07af1b5f651cc1f12cbd20adb955c75b62a92
SHA512 e070884dfc677bc9801851cc0cd8d1f4c6132a1de166ca58f3b69e62c2d632eaf5f7332e0220bb880233f473e7e8f29c2b9b0d626014d33c09da29bb05c1a745

C:\Users\Admin\AppData\Local\Temp\Ekws.exe

MD5 1050006da157fe5b5ec05f4163ce6ae5
SHA1 3f6b1174ecb2de46dd5d1a3a1695bb0ee7cd22d9
SHA256 2a6db251096f375b1b54aad02cd90395b7237d03baab29138283e6fe499f51f9
SHA512 5c39124b6784dccd8cf7eb11918c330feade77080bce84d3964ac70e2612458057381fc444de56ff28dfac6fd8b38680f653c06d682bd0431752a0a80eec5a8a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

MD5 d0f502f4748131851336a60deefd0165
SHA1 0621dbe155417de8c95965733aa428a652ce0651
SHA256 1b06d38ff11235556c2370ce640ae3b6444a7d146fe4ca59d3ad6269d67a6976
SHA512 2f49793b1b7baa1c8d13b848709afd8fce10ec39c0f6fff451fc69b50034151f6764cad0dd4f8a713b49d45403d3d3ce784eec2ed48ca7c07bb6b56bee15cc05

C:\Users\Admin\AppData\Local\Temp\aAQm.exe

MD5 f8b2b2eddfe994caef51bd96490539fb
SHA1 918b26f64e48f2393167a21f3654fdd1c539c9ec
SHA256 0e2e1b54b9fcf15a9e5e611d9bc56d10e69043ec6a88a4b1a2c49d505de48f70
SHA512 f5e14f8e9839015b396c3124ea8c47b3201d2a173fd30a54524260f90c1c267f5b4fcb1892e0c69a2d0d03ca772faa35662ed500103c8778515b71756a82fdd3

C:\Users\Admin\AppData\Local\Temp\MIAa.exe

MD5 2f84578c5848d656029a6442bfcfa131
SHA1 37dd30ff98476189f74b3f37b00355e3bc9439aa
SHA256 c30f2e35c612437131332f44263a0c42ed1a2153d1016abbd91f997a3f623653
SHA512 bfc9e5ca9cb25ea5991b311d05f125af27b0bb17e8b2e88357b64ca622b0e8046c20ddd59c155d9381434dcd1bb607a4ab29ccf89d7fd2da8589c6e25bafce83

C:\Users\Admin\AppData\Local\Temp\oUoa.exe

MD5 f100857cc7688c59c9abe51c71324e54
SHA1 7b9c92a557b5f9b84fb32e64cd22ad284848c204
SHA256 0d77bd67f79572268426f4655599ff1b2356bd57e667de5fed60a072f61400e0
SHA512 a391633d095ae63eff81f30e5cd340ba66daff6ef30b9146a32ad6324d43878f6f79c463b3418e9e58b964cd4a968f8f5dca57989d10c76c39918a1894777031

C:\Users\Admin\AppData\Local\Temp\YQUy.exe

MD5 8658748dd08337f9e80a105a70648766
SHA1 e1c7984a68b4fd3e55f168695934cca91c46540f
SHA256 e75938e928316c409687df78613ce2b4f7cf1134861a55e9d4eed878a338389c
SHA512 4b50f390e2363e559242058709d50cb29fedef9de30f19645cd240c51f32521cb2edcb44bb56b15d47803baa69e4ae9140f232b6511814a7bb5b8bd0b5cf4c6b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 65693d77baa3375f4d442771afbc3554
SHA1 6533baebc52f036f41477acc1a053c436fb313db
SHA256 501a145c8b88b8ae873231d0a5d0603dd5a67572d87b90df1244da064c6bf31e
SHA512 72c2610995884b4e5e093d0fdacad9fe0505b6c435bd53ff82f12573ba4ed199ace1f128b8e6b80212b6638ee516628dccf26e50e79006256e55a033dd18ebd0

C:\Users\Admin\AppData\Local\Temp\CQgg.exe

MD5 a2471d749098dc293314c309b4e5635d
SHA1 d2e020c38799662272bb358ea5125753fad2c30b
SHA256 27da8854e6344e34cc8f43312e895aa76881761eba430a3a210bc74e05824bf2
SHA512 c9c9355a8aef710018e850561c07752fa4ed1e491cfc70f6546f6deeca234408db7e5c4315bfcbd99d9a375b0ce60dd41fbc74f21ad8561f62e4d1e0108d5792

C:\Users\Admin\AppData\Local\Temp\iUIA.exe

MD5 798ff040e25f82e747bc949388ac130b
SHA1 db60e53fa54d67b01e7ed1f185502243ae3d1107
SHA256 f1774d005918df8bf30f8094f14c5aeeb710da08c99e54a29f2b7d24e76cf84f
SHA512 2ef4bae54ef0c535aa03b0a67f11e770317be19113ce770426ee7c31346c8be9858fe75bf36697c13c629ef0ca4b2f4a26b81a680373b2c2d9ab12e300777f65

C:\Users\Admin\AppData\Local\Temp\OQAI.exe

MD5 26a2d088cfcd0a117ff5aecd63b57013
SHA1 668d55d8d33af2e6355d1143e92d18604c6a3ae4
SHA256 2920f5c384c26b88b39aa5b91def4476fc21c726ce49ccf801d9ee6aec85c84e
SHA512 110f6d10a09cb777cf664c57b1d92215ef1a6bd9cc23fada3148cdd62d83fcb11b66b6ef328027e83a03832c7867e0578b2fac801e23b3149939121c2ee179f8

C:\Users\Admin\AppData\Local\Temp\EwsK.exe

MD5 a565d492b6274ae1bc63f6991e2f7f56
SHA1 c0c0652bdfc5744a4a3642ffe7665e3450b0a136
SHA256 21526635c91c0f3bd04db4c8f30bb0f19a8ccafba4bd26a1b52192bb1e84bb30
SHA512 53a9c5f5153f82134961a42388f1c0d22ebcecc927a410f2d1dfcb0b7d080e3562a013bc2213dbcc88a80ab3955e6973c2bcfeb26fd170e432ff64a7515f76ba

C:\Users\Admin\AppData\Local\Temp\EEAy.exe

MD5 b4103464592e71623481b96d59ae26e3
SHA1 440e56dcb2b1485640b593eac45d5fcaeaa9fdb4
SHA256 00bf6ef069145b49d56d979222a85bbbd84fdeffc813aa6d19ca4cb14135dac3
SHA512 92a8a299796d0902c9a4901b6833bc5006e62ad412dd4b5d6c4ee0dbb8f345d86e3512a7cd4e9abac376dd9db3355a6c94288e22ed51711bac64ec24753c0b7c

C:\Users\Admin\AppData\Local\Temp\IMEy.exe

MD5 f2d26b6a715b2f043971f8ffb7c39093
SHA1 5c930eadd33cfabe08b78d754c3a48e50868ad27
SHA256 6ddfd1ab74edbd411462635ef417a23bfa7b1b37cb18d9c985cea68282257d63
SHA512 f65c0e477ec697e5bac55357cf4a5b9aa13403075a78fcaafea84777173eafb8f0bca940b8319bdf83cd621cb698c3e132486ba523fbaf8334bfc964af1f3e4b

C:\Users\Admin\AppData\Local\Temp\YIIO.exe

MD5 9a6f37cbec47ac02d8c51814c2655dc8
SHA1 2e06f942afb49fb318c8ed664f38c0dfbdc3d259
SHA256 8443a97d5d5782ebc72e46ee56f5b542f76d54f682487bbe7ca66426aaae99c3
SHA512 0f6067bf072e1342b15e2127a3cc6720e3d274d713d7f41e6e533ab895f910e8ab0032006f9896dbdca3f5d1f11f5992692077ae5772422de683ae470c11b488

C:\Users\Admin\AppData\Local\Temp\wEsG.exe

MD5 0068f014cace1978ab9ef6eef5e76dad
SHA1 018b3ea81c253454b35c114c2008e6e590f408a5
SHA256 c7139a0d00f7478307655068bd36c2413b09d5bde72ec1b63a66f61baae8a40e
SHA512 c31ae67c03957ba7ed7ae6e9ef6d174c703eb0b345c2206dc37941bc6d84408bc1f5b57901a4fbc92cfba3e9f4ce22ea4de5fe40e33481e70ba8bc193225d7c2

C:\Users\Admin\AppData\Local\Temp\KUEm.exe

MD5 0d3081e589295f6f183fc0fe5451cb4c
SHA1 02868e36b360339b2e0f8e3d8e7e6084fe550608
SHA256 4f02b13b8da8d780df9d3a1d168c057050f7e09cb2c9759b67a1738b18cf95eb
SHA512 7b9cb349c857a0f0af94b84df780ff61d4b6286b95715a0e4a46171f5940862359614b04bb8b59bb1af1c1baf794b2af48f0105cccf7f02fcbc015e954a335c0

C:\Users\Admin\AppData\Local\Temp\oUMU.exe

MD5 4a7e50b840b849e914f86de1def53f6a
SHA1 d0679c3e1a00d1bb1d6d04552ef139da1936f84a
SHA256 fa32f3b5c780b7724547ad2d45118e9b1eb46ea6e12f3f8f8cf487b6eb0d1ab6
SHA512 dad7fc89191a08a09a7ed54ef7775959b2c08bb36d6320c6fd1428fa58dd5de96ce0f72f539fc08bbddcb8fc777b8bc9c3df060847904cb954e4a94f0431e3c6

C:\Users\Admin\AppData\Local\Temp\AwYu.exe

MD5 56add009a847e43ea1aaa70bf58c657a
SHA1 03e1d407126169a0033944df6774593e02b24d09
SHA256 e6c113571b8e8e53fc3847c129ed6f8328e8d0970bea304a5c92d4d1a6ddd3cb
SHA512 cadf922b2a3c298f99db039b2dc86915ee814379a1f87f2acd13913c5d4e780d4f551ae02ea942407084ebfbcc4dbd98dd5408fef3ba0fbe87b0158ddd6dbe90

C:\Users\Admin\AppData\Local\Temp\YAws.exe

MD5 a43cf55f215ae519445280a990bf308e
SHA1 91c6a13f501055fadfa2ff670fc55e1dfbc62ad7
SHA256 5eb76e6bd28e4e48260e9b911bceac3dacc8f1817ddc71bf7d5936a31841d561
SHA512 091d885c43a2722e62f4be331b6b86c9ea34ee6dffc099e61e5ca34389a9263236ac9e55f422e8aaa41e9986071cb32b138f6c9ea991d7665cefaeab1e40aa4f

C:\Users\Admin\AppData\Local\Temp\eEEQ.exe

MD5 3199a9842ce14676ea2061dce0c4fd97
SHA1 cf9ded0bad6271232d94013c0615fa5ff523172a
SHA256 89aa324c033e30c72d99c41ba058858ae418a7c488272c890d3f9ce6c20c855b
SHA512 1569816b84f506ee69c3c523c3142ac3548116c29b87564aedd40bc6273a5de51ce680ab1a42b7ca626d5dfa849ec023990d7be95ba1f95e45e1625eab607f1e

C:\Users\Admin\AppData\Local\Temp\SUow.exe

MD5 b6a7c60a7982a8627a9646f5bf46d288
SHA1 93b0d535dc2c10b1c6740ba7ce8715b0fc8aa214
SHA256 094c6837be5e9153147614c60afa243079413e5ebffddd868a0c8d332288456b
SHA512 fba1e9dd660e85a60d7a5d8a97dae8f93e587be9c3c51bf944a0fd94b7618dfb34c8cd28d053134e176152a906fadfdaf58447dbc63e535df093bda878266cf7

C:\Users\Admin\AppData\Local\Temp\gYsc.exe

MD5 7e038446a35dbf5d0e0bc43d77464c16
SHA1 60ae7b18d775ca401ecccf6a40dcafcb22189b83
SHA256 3e837d05387b7281bd48d7ebc9426ea8bce7bdad729d7c34ac8924959e3c050d
SHA512 965808c43ed8c77f1f87a0e91d7f3f34cf9f1bfb59135db3fa12dcf1c4afa5da6d6fb7961927785f8bed4f7f9db0ad5a6100af95188223236ae42a7f93525e68

C:\Users\Admin\AppData\Local\Temp\Uwgy.exe

MD5 65618639c492dd9013bbf89970b83282
SHA1 e9d5baf13c7930eb742f08553601341a6eb51634
SHA256 1bee36dafab4aa9f7525a2dd5913e418a43aa5b6be0168e2d2c09a3120867d20
SHA512 92b8ca61fa192910647b40ce4780cf49e2f909fab6ff1af41ae92a26eb520332d51b61046f075cd30c75b3e02490198026f19eb5180beed5d96e84a65c4b3320

C:\Users\Admin\AppData\Local\Temp\WkwQ.exe

MD5 a2fd46f94a31cb546845c1d3fa4ef071
SHA1 55541c674298086c0779027231e0478357869b66
SHA256 47f7c1d6785f66cd885bcf5d6020be0b8879a1065d7404a3ffd53d156826cd9c
SHA512 0f9774c7edefe9b07e8b72673bcbcaf92d3e7626eaa7692698c23e3954aedd83f22ca9204ff5f9f3681db0cf22b5d92408fd9cd0967083f5c259f1a654170805

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 3ba9e067a5e6c8cb5a9fd4b4fa1552a0
SHA1 43c49922460eb7f8175f395ee000041abec3dfe0
SHA256 634476295cad511730af1a426f6be198ebbbf8195eeb9dbd9b5620e89e102d70
SHA512 ef51592208cf546d2a764c45724466b2502004ac33ba1ccf64d4779c002a0915d4d6599bc7d1ea2c1b086d342fb7d71cc6ef662e527b3017dfab69c2ebdf10bd

C:\Users\Admin\AppData\Local\Temp\eAoC.exe

MD5 ab47c7a94687a6c0be06c0e46718c2f0
SHA1 05d8431bde5df7819fc8bc4b983b5af5bb5eadfb
SHA256 a1a7b1b5120fe6ca8332b2969117a606028750cfdb0a85afc379e26c522675cf
SHA512 787ab6d0be1a552261b706064957a8c236daff02203031e5f5122f32ff0ca4b964367405c1e9f6bafdc8d227966861ca1ec190b8099be57db6a49726bc90eaab

C:\Users\Admin\AppData\Local\Temp\cokE.exe

MD5 83fbfc74c254d81da60cd6f053e9cde5
SHA1 12735e53a2af068d10d675f8be7ea376c3a5d14f
SHA256 34a0b37c655309369d249100b94e35d24de026f8d393f2bfca30d6e6eda833f5
SHA512 f4e7e4e8e1411c3bfc97b58b0dd5898f065626b1b28bdede535ba1a6e5723d07469ae978db831797d6d95b4c9e8259377e5294c777b7f37547da623ce3ece093

C:\Users\Admin\AppData\Local\Temp\MYkw.exe

MD5 f3ebc7804b5e67adaa209526625bf876
SHA1 9ec53c7cbdbbda6318e407b24688e95e8971d735
SHA256 606538822fd64ddd5ad162f8f710732a16688683b01fafa67c155788eaecd553
SHA512 25411fec058ac129e5be5bc321ec4beed9af98056722336750d9619e88fe416289942c7f60abc1418a610c4cfe4ad14f1b85b80eea7ba40611cf2c0c09743d56

C:\Users\Admin\AppData\Local\Temp\ugMK.exe

MD5 178a7e994032a194207c10c8175e075b
SHA1 7c3aec8fd8050f841f3ee08f1786d01ddeb370e5
SHA256 1681ae0c8f38faf690d4782ff941a9d531a16b20b063efe6a0631b6bee370f4a
SHA512 a4cc15798760bc5d43b57e992cccc4c065353b3ce1b06320b10c0f142390d78b8f944822404d3b3684df61eea91e558e2707661628152bbdce7a098a9f3dbf76

C:\Users\Admin\AppData\Local\Temp\isEY.exe

MD5 b23171ed7965ad09e69f303bd57ad38e
SHA1 4c3fbee39955b430d00bb98a1129e5af5731e3ca
SHA256 ba269c99b8f31f5ae38a9052f4388f321ed3e83b4ff6cbdbb23639dd02d2a2ce
SHA512 4efebc143ff481dcbd2e00649e8f513804c6cc9f2a8cbbc3208266ed1d6d6664d46cc719034fde5563655aae0659ce702a3dba2ac9e342944f0117a92b339f62

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 bf9bb150da08509e40469bc5bfb95f4d
SHA1 afc4380609eab34a107b986e82c99a4905b8bdce
SHA256 4b86f66e7818671fdb0cb55486c09b4022fbac922684e4124c4912c9707e3b79
SHA512 44d7c2259435a59b7545eae7814682fb480e8e2ac60746f78a0594cb89e018d172a02514cd285e7326e85fd1a05f567ccc3d0c9178bdb1bfcefc8b58e276437f

C:\Users\Admin\AppData\Local\Temp\OwQe.exe

MD5 7e3cf02df150d3c7204683da59ede7a1
SHA1 60c7d441f920eb76958ca8f9823b17648689e4d6
SHA256 2195bd9c3f6a023a8f2f3c8b0a4a7424c6f8eeee28816e7658ea8940c3238745
SHA512 5175dade68d0f69839b230fabf852b44b960ce7621d484a9faf82b7f345031385e2e7d14dfa647d5305039023687b715f677bbc60bf7cc989b5664adbc7f5f7e

C:\Users\Admin\AppData\Local\Temp\KEUm.exe

MD5 2e2605a6d862b0501e94af58b6a38947
SHA1 daf3391e7876bf45aba3719307f96a1aa33b49b7
SHA256 280bbd3b8db7e069ba0a47ae79e0b7ef7c5b33fda5b57e875a1c80c6c4c8d0bb
SHA512 2cbe7ec617aca6c4daad55c7508d5c9e43c545b53fe9689c8a4eb9ce188d9858fa3aae966411999fd114cffcb4232a9e4595e9ace5f5706299e49b01ad849ae4

C:\Users\Admin\AppData\Local\Temp\gokO.exe

MD5 28f3d170dcf91fcad0642cd992f54900
SHA1 50b25770cc3580c16b4e9ef2963e4fe02ecec5a7
SHA256 762d10305c445f8fddbbabe20f28faded0034254253c53c89542a00e0e1ecf36
SHA512 a5acb8f321dfcbba393f6e9ef74af30590bfc787e5182584a0741a561fb2f8142e2e4b266bee09a46825da52fa21e547131de09fcf5397ce4accc56af7991bd2

C:\Users\Admin\AppData\Local\Temp\AMAk.exe

MD5 dcfd6611de1fc7313a5c89473cae6117
SHA1 9a3d8307048ea659bf42467d99f1e910f7e3a513
SHA256 ed6846601f9c5be8c19608907a82dd00379efbb4163c3057a8e7a116963e96cd
SHA512 3c37e0a15eee2512d31e39b883c0dd265d6643e7d59f57e9ba05dfe201440a30904a7ce21990105714e3eaee7de9da8d2ab985fab9567e8e42c0bc7146ae0826

C:\Users\Admin\AppData\Local\Temp\GEks.exe

MD5 eaf0e394167cb98bc4e47d68ebc69324
SHA1 6461cd8750ed0fe16864051b697157eef3674491
SHA256 79b1bccecffa2b94e37b9621f913e98f25036d4b84433a69dcbc0f5421365729
SHA512 17513a91009ba292a7d9d289c4acd2fa130bbab888a6711048e19023dbfe04acff78cb51a31ae55cbfe2241bf7edbf52da39507133b39574034cde60d2fc7ca0

C:\Users\Admin\AppData\Local\Temp\Qgcy.exe

MD5 c42c4fd72fc09aad55388214ff58340d
SHA1 0e21f6de78700ac13d33ebd35ffbe49b685c0c90
SHA256 54da5cfbd1900e41da954054d5fffe7990933dc15ff5c3401bfada01f07aad6b
SHA512 f3319713b97785f5c1a171d0ec4e92756c1876b9d6c965901e5dd1df99022c3eca6fc9fbac109e8015d4b5fc6069985e5e1f1198803d7f6ab9cd0ea9fd2b1e1f

C:\Users\Admin\AppData\Local\Temp\AEgs.exe

MD5 158eea0682670ed6a644b21716114410
SHA1 b6b9e5cdfba52f235a0bec9051ad5b26013c2e0a
SHA256 df4abb5dcfb523421573d7d4a28a85d4c4cab076c28b35a356dc991e11c8ded5
SHA512 fee6030ce25704abd2fc6ac86ff1eaaf3ed76f78d4464b1176ce7a316ae913b3ebedc0dacc958ab4782deaed7beeb2793f443fdcd93ea0506df5cf13697ae567

C:\Users\Admin\AppData\Local\Temp\yYAs.exe

MD5 5296030f628c660d4728459c46081af9
SHA1 1088bd00de34e9bffad81739280829896826451d
SHA256 14ede38b475808717675aa5899aef7d9a7a4e69a4fa427ccf326c129994b33cb
SHA512 97037d6961846e40b68cc9987201376927b4b429a9151a03a48b6a81b3391784f05dbd449602e89ff5fe3710dcc5b706191045731facfd4ab370683b8137b408

C:\Users\Admin\AppData\Local\Temp\yYom.exe

MD5 00330d884749848f0f0e9dd288417326
SHA1 4dd0acece304283570186face218e5c7c0a2a01d
SHA256 de1d153a5af474f31c22a7a0c80c71c4bae0c49db3adfe0f2e481cc75b7f6e61
SHA512 8b94b6270aebdc1eb293278f0da304e77da2eef51a62a9fd6987177138a1a507a97f30b86dd50055b920b6f9654f243f38a314b31bde66474fedbeedebcd19cf

C:\Users\Admin\AppData\Local\Temp\EEIc.exe

MD5 efe25c9ae0a73d2f72e451382bfd8d3f
SHA1 88e03ad827137ddb1aa1c46f8c0dc72d3229caf5
SHA256 6d781efaaf328bd30d41d366a64c592f82527344127f8c45f143699959bb4e82
SHA512 98bf3a22ca972166119eb981244a07382039333cd71e9fc3e5307d0fe08d3117ed892c8f9e32c8541b2b06a3b7a21dcc39a1aca275ae0e4ce525a155f6f1a619

C:\Users\Admin\AppData\Local\Temp\GwMG.exe

MD5 836bb75824a13e2b13752a35d30cb303
SHA1 1e8cc50c29d7dec5049750e968f7986e4d41bcdd
SHA256 2888417407be155d79da6e59d64b2e8a5cc2f45325fd32164083d35de9422cc9
SHA512 342399d89a235687a034356bb2cc548c383dfea3af67a99cf194bc93fa77d2bf3f1e14ed862a6f6db7d54eb31310a8fb4439a63c02535544049b26103601fa4c

C:\Users\Admin\AppData\Local\Temp\Kkok.exe

MD5 1e0edd4b5a1d8f59803aadf941da7995
SHA1 4ea88a0420cdecf681f14cf0aa8c6e8f9113c336
SHA256 0bed63f46f72fbc294004a2ec8b4dcfbb8c973e720d4d61d37acaf26f453c654
SHA512 8ea2d6f35f997a203ae2631c2cac80546a3ef606a2a58e3a9c7e2d8a4a2c2cdc49898f87e6c2ba9296c868c35870f0548e61e5fc74e28a5eced5a3ece0a517b1

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 08665cbb9f8ce9609212cecd6962a07c
SHA1 a8f01e7ac307d47061aabe0ddb780201e03149de
SHA256 5496b3ef438272aa5a464be08ded2fd7ad996fa766db4a744581395f7ed3de27
SHA512 d8026661b9782f1349318edcb9a1253666db3f517e1d0f333a53e195d61186d73f97b9340471fbd736065fc42f7fbfffe03ef87f335032a0dbf78da777a36825

C:\Users\Admin\AppData\Local\Temp\eYEu.exe

MD5 7e8bbf8f28e1e14e2316ee4b4fd87066
SHA1 559002ae4d60647ef5638f307c1f1eb6cd8d7a26
SHA256 d36b54d6c4b4ba3a58b1e3512e9cdac8842f6eb618a66e02d441e10527dd8700
SHA512 4097a6d6c872f838ddd0a089e846daac19d1b6c7e3d0025e177d088cc06e942a2abd686f0c65e9967d786fb60bb687be6d67714fad1c8a99f89575cfdba1118b

C:\Users\Admin\AppData\Local\Temp\IogE.exe

MD5 4d4aa454a35430c1260d51464bbe827c
SHA1 702afd5ecb250e121609488ba7e299f43c4a5062
SHA256 a3c3b51b479ee122809a7e3fec90c984b67c19b810e4f1d93a5eca8547d91bf9
SHA512 3a9b317172f6d3cbfe83badcb6e2a07807aab563c85b52afb1bd110c592ad25e37bde4c395bc3db7ef2231888a9a8f4e32b992fd3139e953be8f0c25738a7657

C:\Users\Admin\AppData\Local\Temp\OAsS.exe

MD5 9f6cb25931e00dd803f83b363c832397
SHA1 23c36320adbb815fe79335a4615ee16bc7e482ca
SHA256 bb7f5aad675a5bfcb55b76930078893c28a6295d812eb605401f9cb57006eed5
SHA512 e2515e7cdfbf9f2102dd930391345250efa54f4890d72268018f2e3be5043010a8526c63bd39a248bc6e668f9eb74879e92ace431e0a819285b0ff29b22e62a3

C:\Users\Admin\AppData\Roaming\MountRestart.pdf.exe

MD5 b32d498f213cde74f9248e3b3c4a48e1
SHA1 5f3408f1afca965d5a4916b42f616e6b5dfa86aa
SHA256 bd2732fe8abcf5f97d0230eca4a6ec4c8d018a2064a18b6dd748b76c79f79852
SHA512 4bb6ed6c7ee839b5a32e2220360bc62125e65749a00f0a4c29ccae1f8de2c5c35c2d911763d9e62c601768750a3f766e77619c64bd12e7e0b0afbb242b12c430

C:\Users\Admin\AppData\Local\Temp\qQIO.exe

MD5 88ef333a435cbf753eb0053ce66509f3
SHA1 ee328f868224060a805606cc57848f16cbd1a7bc
SHA256 c4eaaf9ffdeebba07fbf057737e3a19734a756e070fe4358b0976930f9fe69b3
SHA512 60318cad1d47bd2d0f97265143b5005b5a1f5f3c9c1ace7023e551e743dd23ec3ddf57e5fd8bc2aaaa67a00eea12ba486c2fd5729ea07b27861458077a05c042

C:\Users\Admin\AppData\Local\Temp\sggm.exe

MD5 3290ac2b64785d0408ef3905482d6d62
SHA1 cd022f79ed906ae2c3bf40c6e213a36bf97d055d
SHA256 9482beef442d81d72e306b1b5f1b118f1d8911b9ac30f02f6145eb29886e6a5a
SHA512 a6f23bcfacecfdf851df60c0390e546bfc7b3997ccf1d318a5b693f5adb4d6f21181fa78f2499aa747ee9fde248b14c010b35d302c55e0fc87c1cc820c9fe6c9

C:\Users\Admin\xQUIoMEY\YCwQEAYA.inf

MD5 2376e07c37afed88e0f9d028424f8f13
SHA1 0a8fd2578f30156dc3e31afd1a46f95d3f68cf81
SHA256 b2b69d8dd6026a35488f8c91f42621fa3b53f74608230afcb01f2ad47a831b24
SHA512 84b9e7feb46b5399450d78ef40f9cf70f4fada48d6c4a2abbb794518961e80a416abd9e46726bfe208d0ca61b9957efcb7fb46fd789412061f347638f527e98f

C:\Users\Admin\AppData\Local\Temp\cUYC.exe

MD5 f8cfcdccaf9d26d95e2936c9cba2d5a1
SHA1 8645d793320c86681e22091ec43dfa909715ccd7
SHA256 c30bb3afce2b4116de67fba1fa1611d57a54093684742dd4f9999933c2352e43
SHA512 8cd250fdca2a4a1bec5d15ffbcb89f1ac90eb2b62026829755a056c0a0fd97c35e7ec1cb2d5ffaef5a1928cefa566f827f38bc19bd5c269020df609b2f218b6e

C:\Users\Admin\AppData\Local\Temp\WcUo.exe

MD5 2ae85308d615536b90a6f0054a724abc
SHA1 ffaac7db42b7054151811b4b3da764d412caba06
SHA256 5e2c0e26fa7f4690c6667678520ab7dd239721e70ecea39a7d98707b237d8ac1
SHA512 9c37f9675345ae644ceb76d3d4a45b7583902b806f1ca94037083473a078394d14d2ea7299ccbab0293b33e38f3b7c490d332cc23e5b330f5c78f7fb72f5e572

C:\Users\Admin\AppData\Local\Temp\Wscw.exe

MD5 5a55004793e5f235e3283de64bca33c7
SHA1 56c54c1d88c8f3a64d8f5dc2cffc874a4dc33dab
SHA256 e60971f85fa5d402709a7b2dabf6be5258146ba8769f407ca7864c3a6ec782be
SHA512 76e4a968c6b70ff8e53e25162e4cf00ebbdc589a60fc910d46db508727f800fa96d19a28bb45fae771da7e1a5acd44eca3f3cbd8c0f7e24eeff9487d934eaff1

C:\Users\Admin\AppData\Local\Temp\mgQe.exe

MD5 79a8f5a88689f97b141354716461c146
SHA1 fa219d04408c31f9c933a648484e003f3ac240a7
SHA256 596eadf57386e48b5ab5a1523a0220def0b399faafc056d569b815c9cb476fac
SHA512 1e50a7b4ef18e75fc3cf85776d1e6bf9009df7a1cb8d80f888e56aad52e3d9e3e1050df8ad23bf1626158aecc9f5987f47ecfe8aa7e83e559ebcb99f9333bb86

C:\Users\Admin\AppData\Local\Temp\ucws.exe

MD5 ff8482668eb0b649971a0ece51e260a3
SHA1 951c3bfbfd4be4fdec9aacfa139453c48ff990e5
SHA256 46cfb77acfc89721cbd8349b61ab8431918d331591f63acb784cadc4f28d2cd6
SHA512 ac80adc8aa3003051975ea85bfb6b71f8013686dd74ef224ef58a1541562f9528854d2f6a28b0326183a78325bab9f5b29c80f7b921eecb58a94509c2f4f1882

C:\Users\Admin\AppData\Local\Temp\Acgm.exe

MD5 9f8694702781368c4433b6bd7a126a0d
SHA1 ca4466cd2239e4a18555737207978c39c409279c
SHA256 92b71e238ef7e5626e853077f1a3e25a3e6223c10b57779fc3fda329e873b96c
SHA512 5b80a1cb9ef954ef7dc8d8d61072ed9fd24a8d4946019440d18e8738d074105bf5a76eaa113837730680a9eb202d48c0643d2fef137813a35ed436ee5bf45bdf

C:\Users\Admin\AppData\Local\Temp\GwEe.exe

MD5 0f01d8bf2402001bd2e10ba32ae92547
SHA1 2d59e3c57425a7b5ef4aead5649c167f78c55810
SHA256 2839265e93161bbde0d8cd8cdc1761048fc61472479408b13237be4f1ee0df04
SHA512 a41e859ec2352c6aac92a4280a3ecc68c74c2f1fd54b7ccf9d87d5a8b072eecb8af1643a20aeb7b6e883c50b7f15fbfb1080b524fcb24f796e742858cdf3efac

C:\Users\Admin\AppData\Local\Temp\cwUg.exe

MD5 52bdc1f4f2f9eaedf534f8cb5a196b11
SHA1 9d6dc66bdd638619665a111ca067f235faa49e62
SHA256 b6b56ec16976853b7515fa0e6217389fcb3ed8d0b60fd82724d9f64fb9c98b3d
SHA512 a9d71924c8a2bfb26b488ce68100d4ed52099a2c26c962480767ed1e2fdceb51fea736d6ef1c012940b46591d5924afb1ef0fee480d218c34e1ef299accf135b

C:\Users\Admin\AppData\Local\Temp\EgoW.ico

MD5 7b65672ac808bca7c81e0700562aae9c
SHA1 e279f707d5f93cd0449443cf7f70d54a54763208
SHA256 e5798e3d8c1af62d997a27bc2fb7333639a4f20e9753cf7a5b0639cd93f96448
SHA512 7592be8433d2044e21d2e67cc5905f1ca3d2c05884f99e4fdf4db1aebaabb735ca1d50f6397d02ef2c0ba6e4528ec5fdc4592ef35e0e6d451e0453d5491345b7

C:\Users\Admin\AppData\Local\Temp\ocEY.exe

MD5 3626352dbcce9c153a22c7a7ba12cafb
SHA1 d8b3e41d1f8010731f4ce051cbf90e3478a5cfc5
SHA256 8edcab37808a28f04436b78f111e23fcc0b1b8c6f4d2628caf8ad746fe40dff1
SHA512 012dc6442ac8bb01fa47e9fe5643cec99795853ebfd39772747feddb2b41076c3eb1bce88aa895d1712ced00acab469de795db995db4cc3e273ef77b327ac45e

C:\Users\Admin\AppData\Local\Temp\YMUS.exe

MD5 838541aca6e9abf01969f84833bd7c7e
SHA1 5f17ce39ee1e67a007013381afc565dc71b061f3
SHA256 bec52e3dad5c15f86743c5d2da409f17beaf59c767b13bcf2aaa01fcb758cbb6
SHA512 21cb2e89e29af369c18eef0f0c2da5f20226523198b7e4e01d1f0f80bb2f3265dc7ebdde94b8b9a71ab2155fb7d756256aafd490f20279b08ea2fa978d1b7955

C:\Users\Admin\AppData\Local\Temp\SkMM.exe

MD5 d62a2c247ee4b81b1b13827d2cd496fd
SHA1 6988433c876e2e0e9c4abd348282ea12693bdbc4
SHA256 654a87d8fdcc7e08be4144ed4e4192098b89841e89f2cb1697d2a9a9898aa713
SHA512 d271a6594d74d213b67defce4b62ea57c403bff2fcd78a0450558de2137739e93cfa3126c76c4602f865d20668318e137a5d73c862912eef2fc1939bff42cc30

C:\Users\Admin\AppData\Local\Temp\kEgq.exe

MD5 1ad254c7d39c589c9ec17e551c11f6c9
SHA1 63534e807bd1230c45d62c70a09d2d9e34ecdb52
SHA256 bd84d67ccb7313936018c708068be424643d66be033124f7312a80cc9320a89a
SHA512 fa0a5df4b62f284edd7eb4ef82acdab331d98b0dad9e8caa3110111f5da452e0349b85f49e19ce1e3850fe0c37f653264f0313fd176e647b254ba55aae3ef3f8

C:\Users\Admin\AppData\Local\Temp\esEo.exe

MD5 d9de833b0438e8cc79491cfc3dfcae19
SHA1 1cfff1cad787406bddacd6ecb8e2639378bf763b
SHA256 3cdc0b5b3582c59c845a23dadda12affe231a653a3fde20f98c7addf8e5010be
SHA512 f865939e912a2c109e437f39df20fa9bb2d2d0d1a6d80355f83b021657365916216fa415fda49fc32b7de0cb5ce14235deb6a8887127d2a1dd7c8a0e565e025e

C:\Users\Admin\AppData\Local\Temp\YQEo.exe

MD5 4e356af956fb40856c5e4e266e923e91
SHA1 e34ce23badcaf06fdc348e11cefce9a326c1d4cb
SHA256 90890f20c7e44f143e19a3c13db8c01f19e945529d835274d29d686abb963432
SHA512 1b44dd881b52a60ed6099661dbf2cdc1eadb7c7749324848633377409c2c614b0a8e7f830643ac3952d8ed623c38f2d773cc40c392d08e058ea7778ea2b6627f

C:\Users\Admin\AppData\Local\Temp\ukkY.exe

MD5 6e0cca9b40826353915b3ba549239989
SHA1 50c38f111084057562da74e1fa479072ac78509f
SHA256 bb9569daa3e49438fa49e6c08d6115f6cb26739ae88bb71258825597a012b58a
SHA512 a0dd39d601529ce9b9a9ab937b65a970c18666a62f049b3b577f7ecaa5bf2a2dd6246d6221ffbcc69a58d78d4d8988fdb45bde2f40aed14a6aa10bd675445013

C:\Users\Admin\AppData\Local\Temp\OIAy.exe

MD5 194fbb111a6aad8a78c7cbf0d6bc3e12
SHA1 1f5bd62af528723f3f0d83e52b0550bb3bed4ec7
SHA256 72a9ceedf01fb670d5a27b7225061af4b222d06e467ac2a17f5b80cd8c1883a2
SHA512 292bc123193519d43d6be982b9237e19868cc29708a395f236633c7698be8d3f8176c2f093b14037cadfa3187c63710e456683ade746a728a5f90a201165b9bd

C:\Users\Admin\AppData\Local\Temp\iUoO.exe

MD5 604f932b6873ee61121cef54930fac06
SHA1 7fb0d8a34dd1502513761c338af368fdab9a3ae9
SHA256 8faae47c5c7c91fa29a5f352680b3a7927b55ee277f1001f981b1000d284d296
SHA512 f26265dd92808ed9718771e3dc8ee08a85a296163d5150fad1c82a44c4d3e43f030bf1c0e7f60f2d072971e481d91856e175dce16145a0f6c3698fcd95594ce5

C:\Users\Admin\AppData\Local\Temp\SkkQ.exe

MD5 e805ff3513bb7a3abf2d0bd0a1645e2d
SHA1 f40fa78fe99a8d3915141207a3cf14432f77f032
SHA256 905f199b029a408c8f8164bc48bba4d5cf06874a986811e6fa5afa2558fdc2ed
SHA512 273ae3ae0fa09ecdc2409f9c2969e15e03bbfa05bfbdc4194a511fe44106dc89c37ee04e22dd9d2119df5d384b5ed74f3ae95be83d6f717279eeb6b742bf374e

C:\Users\Admin\AppData\Local\Temp\Ygog.exe

MD5 b4308bae3e6dddfff6fda0a2b8aaeba6
SHA1 3bece605cb28d7b624b15bddcc34ec888bb74054
SHA256 90c175565ae607bdfcdbc48f5262208e4252a922a8fd1442f85bae7ceb8cb236
SHA512 4acff823f02196aa581e1b77c093a48f8b84b0275464da8c99118fc74910821e2030966b965cdd69fe85914faaa6bb7fb30c2e520e1d83dc83a0eab896286f19

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 ff7fc1c93df217e903076a2b02c96743
SHA1 2950a2951165fc58221f5bb31a632545ea061349
SHA256 b9fefe67aafb6c7e4082777cb4b497a977712608b0f012282ef9d7e2a514a684
SHA512 a95d2784bc3abe9da9d805abdde9a1426bcadb486f70a48d814b86ae488be95493fef57500e748fa58418341cfd49b6bebf8f53024eef0e49b6e213354a283b9

C:\Users\Admin\AppData\Local\Temp\qgMc.exe

MD5 68eb54f5b0c42d228f64df68514b14a3
SHA1 e9aeacc8a6d407a07b5d352f3c33f7cfee78f562
SHA256 73cec87db030351e0e243635b3d3bbf4d21d4ad611afffd359799698d2c0bb68
SHA512 4f98b615c177a65567993ed9cb073236f5c4e205c23f1826e301e28f9ae77bb17f9d3995377607f90fa6fc0edf5b1dd0973569f0b2bc853cb8f4cec94f4854f3

C:\Users\Admin\xQUIoMEY\YCwQEAYA.inf

MD5 19311f47265aa3ce5004b79500394710
SHA1 fa71ffa80fa8576736ab75b94fe509054b35509e
SHA256 10a9f27666451b6d369d50b89049ff219952ce346486951bc74100f81a875ceb
SHA512 ecca8fd6576661c37ee8d007c397b84a902b69ef55edc208dd9769c45bf8afd3254956b8a7b2d6aae6e7811c2d5f8e51a15b25e7a6f953e64d5499031093b2b6

C:\Users\Admin\xQUIoMEY\YCwQEAYA.inf

MD5 759f2c8676dad1757fbc8b296d35856b
SHA1 0d8f20133418e60a375e41fab7a5076f5a07ad4e
SHA256 b36735506205d7d3241de448d433e96d32d835624410d058ce37383844c11e02
SHA512 b9c27f39529aec78786d37f3e88306fb2d9b70a7dc1e8c960d4f2d054276958a2d82efc9599645bcb4c66b53eef96e3e85c0df9b560303a6a9015313629b75c7

C:\ProgramData\peIIkAIk\uioQcEUU.inf

MD5 de810e60c0b8af2702c84b933553ec8f
SHA1 d81138c4856c499ef3aa3f868ecd229c5e1f540e
SHA256 8e7302465b0996d8849a91057e3c224390a0e7a22145b546396f46d74a47876e
SHA512 bb7f03503a0b5757d6fff1127752ccdc8af931f8cb3efaefa1938795a0fe8c97dd1f020e7cdc0f855081fe6bbb3f25aabcd48a45a1adc9347dadc8b9cddf5c0d