Malware Analysis Report

2025-08-10 20:10

Sample ID 250518-n8qlta1rv6
Target 2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock
SHA256 f1f5aaf209f61e8c50313fe2356e5d2d64035dc33ab435e148ed14c821b112f4
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1f5aaf209f61e8c50313fe2356e5d2d64035dc33ab435e148ed14c821b112f4

Threat Level: Known bad

The file 2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (83) files with added filename extension

Renames multiple (84) files with added filename extension

Blocklisted process makes network request

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 12:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 12:04

Reported

2025-05-18 12:06

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (83) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation C:\ProgramData\zOQcssQk\DYMUoAEs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\BGswwogo\OUoYIogw.exe N/A
N/A N/A C:\ProgramData\zOQcssQk\DYMUoAEs.exe N/A
N/A N/A C:\Users\Admin\BGswwogo\OUoYIogw.exe N/A
N/A N/A C:\ProgramData\zOQcssQk\DYMUoAEs.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OUoYIogw.exe = "C:\\Users\\Admin\\BGswwogo\\OUoYIogw.exe" C:\Users\Admin\BGswwogo\OUoYIogw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OUoYIogw.exe = "C:\\Users\\Admin\\BGswwogo\\OUoYIogw.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DYMUoAEs.exe = "C:\\ProgramData\\zOQcssQk\\DYMUoAEs.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DYMUoAEs.exe = "C:\\ProgramData\\zOQcssQk\\DYMUoAEs.exe" C:\ProgramData\zOQcssQk\DYMUoAEs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OUoYIogw.exe = "C:\\Users\\Admin\\BGswwogo\\OUoYIogw.exe" C:\Users\Admin\BGswwogo\OUoYIogw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DYMUoAEs.exe = "C:\\ProgramData\\zOQcssQk\\DYMUoAEs.exe" C:\ProgramData\zOQcssQk\DYMUoAEs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\zOQcssQk\DYMUoAEs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Users\Admin\BGswwogo\OUoYIogw.exe
PID 5020 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Users\Admin\BGswwogo\OUoYIogw.exe
PID 5020 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Users\Admin\BGswwogo\OUoYIogw.exe
PID 5020 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\ProgramData\zOQcssQk\DYMUoAEs.exe
PID 5020 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\ProgramData\zOQcssQk\DYMUoAEs.exe
PID 5020 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\ProgramData\zOQcssQk\DYMUoAEs.exe
PID 5020 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 2548 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 2548 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 4964 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\BGswwogo\OUoYIogw.exe
PID 4964 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\BGswwogo\OUoYIogw.exe
PID 4964 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\BGswwogo\OUoYIogw.exe
PID 5084 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\ProgramData\zOQcssQk\DYMUoAEs.exe
PID 5084 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\ProgramData\zOQcssQk\DYMUoAEs.exe
PID 5084 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\ProgramData\zOQcssQk\DYMUoAEs.exe
PID 1320 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1320 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1320 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2704 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 4984 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 4984 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 2704 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4140 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4140 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1436 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 232 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 232 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 1436 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1436 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1436 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1436 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe"

C:\Users\Admin\BGswwogo\OUoYIogw.exe

"C:\Users\Admin\BGswwogo\OUoYIogw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\BGswwogo\OUoYIogw.exe

C:\ProgramData\zOQcssQk\DYMUoAEs.exe

"C:\ProgramData\zOQcssQk\DYMUoAEs.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\zOQcssQk\DYMUoAEs.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCsocUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Users\Admin\BGswwogo\OUoYIogw.exe

C:\Users\Admin\BGswwogo\OUoYIogw.exe

C:\ProgramData\zOQcssQk\DYMUoAEs.exe

C:\ProgramData\zOQcssQk\DYMUoAEs.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aecAIQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOAEAggI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcMEUoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgsokcAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWIccYIE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMIMYEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wksoAcUE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGIwwYow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcIUsEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TawAEMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaQAscgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWQYEQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAkowgwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 81b14f4fdc12952f37a8f2ba4fedbe62 lIBQBQHnhES1b+MTqhFhiA.0.1.0.0.0

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIgIgQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGMYoQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMAoIcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUUgosUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaAkYogM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcIYgUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsQMokAo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgoYEMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGYYoYwU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYMoUwsY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcYgAYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIwcMoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQwggkMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEsoMoUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOAkwkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGMwwMEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaEsMoEw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUUAoooY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSgkkggQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEMgokck.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsAcQEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySAMcEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKswMscE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmwcEIYY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AocMgccA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGAYAwsE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiQgAYII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\poQYAIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgsgMkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOcoUccI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCwQssos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyMMYQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkUAUMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reUcYIws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEwkAQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuYgIcQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIwcsocA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIUYYIog.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYIccAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUMQUssM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkcYcMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmMgAwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwYossso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiYAAsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eugMsEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiggowEw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAUsEIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMAkUIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkYUsIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQoMAksM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUYwYAks.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cugYkMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiogocYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiwQAwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqsAIgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyoMoIEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqgMsggo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMAwUgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsQgUkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaoYwgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyMcQQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUEMockU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyQIQgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwMgwsQc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGAkwgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eucYIgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUAcMsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcMsIsgw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joIMsAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQIUUIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaAsoAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaIAIEAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAogkQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imQsMEEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQEIgwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zewwEAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCccMUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsoIwMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmkcMcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqQsYksM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyIYUUsU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqgMYEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAQEEwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwYgoMIk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOAokYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAQoosAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgYYUIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkMUoAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAsQgoko.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcQoMUYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAIIUEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McAAgIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asMgsEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiEQkIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIkMAMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAIYwEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSYQwIEw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zysYMkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqkAIQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egwAwMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoAckgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCUosAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoMQsoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCQYYUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEgkIAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuAsIkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSgUAgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymkAwcEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AesAIkoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuoEsAII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOAscIsk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

memory/5020-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\BGswwogo\OUoYIogw.exe

MD5 34432ba5a47050026785571de6a17aa9
SHA1 2de1a30baccb1eaa8483aadb0eecea231e73e4c9
SHA256 adafb43ee29a0988ba077807141e6b5a0abfb8500e9dc44a27cba6742e614e20
SHA512 f2ba64418a3843c28ea117f18d8b1698f2f7cc0f61f13cd65d6ad42fdda8f28b6c672378f9d77c2b8176f021df5c2e4b1bd02d07fc1cd43baeaad8d97061c87d

C:\ProgramData\zOQcssQk\DYMUoAEs.exe

MD5 e2b2eb454cc39fa47d9503ba2a4bf466
SHA1 48e4b572eb33dbb3c696920133d3df9609100795
SHA256 039b607991cfb0f48f3f22b6f878f98b9b0c3f0a4feb4df0f7a7b9c29782dc50
SHA512 e3d9eca63067611b4dccb65710af870df24e640037ed931ad777cd89d5ad032f333dcd58b426cb513ed55a70997142c7cd84d07d4ed4f557f34df20a1b44447f

memory/640-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2884-11-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5020-19-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2704-22-0x0000000000400000-0x0000000000436000-memory.dmp

memory/852-25-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCsocUcQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

MD5 96b5a5aa81cddc217e02a83da419a8ea
SHA1 2f005ac25837210b71780fbf0d44b1b1da873749
SHA256 50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c
SHA512 bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\ProgramData\zOQcssQk\DYMUoAEs.inf

MD5 654c7261fb94f697ac39a48c3b71671b
SHA1 a760d272e7171b8512b9acb67c023c8750a53dad
SHA256 c0d7c759733bb080c2033f193fa8d0406137f2b73273bd95d7c4d2fe1badea35
SHA512 c059d4b9940ee7fb456186608a80d0c591bc752aa25ec8703d20643c05a402fe140727737af9ac2de52685cafc21ce81f90253958568fb938c57c889818eb6cb

memory/2704-38-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1436-51-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2316-62-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4332-76-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\zOQcssQk\DYMUoAEs.inf

MD5 992a37de5fa7f0ef2e55c0807695ad91
SHA1 a299618b7ca825aba98c2991d07aa4007db1eab9
SHA256 631b32a036511fbd418626232082c9665fd94930800b57b24c29b2ced8423e01
SHA512 cff7c9f0086fdb2f8b8589607d323331df21f10a04498756451fd1f8453f6e2c2d8515bbca974e118600be4d7ad44e977e3f0c51f5e8fa54bf00914e18daca15

memory/4316-92-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2176-105-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3880-115-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2940-119-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\zOQcssQk\DYMUoAEs.inf

MD5 95807033d5dde0880028d98d35a9a053
SHA1 44bbfc7405694d17cc2e6744b9debbd3709e4c26
SHA256 712f3eb63532211bacce62fec05e8edaaa8c0b5d6919270fd98cefb46c64e42f
SHA512 cb568b2d97e8ce27266d6d8d85803df3de1595120ecfd197d50569facda8f16bf0fff404c414e5b35eed73db6f66f2fee85ac8c2dd8bb09ab38015b2f197cf64

memory/3880-134-0x0000000000400000-0x0000000000436000-memory.dmp

memory/456-142-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4000-146-0x0000000000400000-0x0000000000436000-memory.dmp

memory/456-161-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4756-172-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\zOQcssQk\DYMUoAEs.inf

MD5 ec6b918c578d436a2627deeb14a214f7
SHA1 679e4f05cca1287d67831a78eb12336f082f02c0
SHA256 3cab728331871d16457919c533dd6ff90cc406f10b21f51654ece37b17cecf59
SHA512 19bceffe37e2e5f8b24ce0ef16c6c6d9c6b58a61f855e7f18acc96a4e46a31ac890b66a31b0cb999c98718e28613013574c1b48ab986a419a3205834d3d85e0f

memory/2180-187-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3892-198-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1812-213-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4332-222-0x0000000000400000-0x0000000000436000-memory.dmp

memory/884-231-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2636-239-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4604-249-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2964-259-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2128-267-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2208-276-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2952-285-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3320-295-0x0000000000400000-0x0000000000436000-memory.dmp

memory/700-303-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1460-313-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4288-321-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2684-331-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4324-339-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3776-349-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4304-359-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5012-367-0x0000000000400000-0x0000000000436000-memory.dmp

memory/756-377-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2736-378-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2736-388-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3864-396-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1404-402-0x0000000000400000-0x0000000000436000-memory.dmp

memory/928-407-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1404-417-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1464-425-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2328-433-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3256-434-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3256-444-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1800-454-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2380-455-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2380-463-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3032-472-0x0000000000400000-0x0000000000436000-memory.dmp

memory/528-482-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2316-491-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3604-499-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4972-501-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3908-510-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4972-511-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3908-521-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2104-522-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2104-530-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3744-531-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4668-538-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3744-542-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4668-552-0x0000000000400000-0x0000000000436000-memory.dmp

memory/264-560-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1800-561-0x0000000000400000-0x0000000000436000-memory.dmp

memory/264-570-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1460-579-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3864-589-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3396-590-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3396-598-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1696-608-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4444-618-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4436-626-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3396-627-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3396-637-0x0000000000400000-0x0000000000436000-memory.dmp

memory/928-647-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4140-655-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2104-664-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5012-675-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4972-683-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1556-691-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4436-701-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2536-712-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3776-711-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3776-720-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3232-729-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4304-739-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3176-748-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1908-756-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3892-766-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4952-776-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4748-784-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aAkE.exe

MD5 3a394e4f918ed547b6835b776bdc3b95
SHA1 652460ce3c78dc491709120b3beb6e3635550525
SHA256 7dfb15340faf8c965cd0ee7e825abeafc74c97e5927e0decd73f572b0e9b6ca8
SHA512 645458b2bfd8d3ae6e8f7df41fd4551f296ae77aa54213e8eb85ae83ac6dbb690db11e35811d40eb8c20306c976e1f7e2ceb239e019c0ce7f13f6a36c1268c8f

C:\Users\Admin\AppData\Local\Temp\CEUA.exe

MD5 60f4622389ae098443996e2b7e456c43
SHA1 40b2e3841bffc5d498e44b4b68f59401a3f0b223
SHA256 e4f8ae7308ebe0282242d2ebe396e2b16c2c5a4a9d4e4c197d07b234dc968bb0
SHA512 b5d237b1cadbfcee6885d7ac1118ac97981bc7cec21f37795488f849f353a8162aa50263b90c78cc7f37d1d02ef46f58c1ba5abc5b2e1b426c2178be6640a5e2

C:\Users\Admin\AppData\Local\Temp\Mwgy.exe

MD5 0be6e07f75b346e74867cdc9f4e7a160
SHA1 cbecea708290153a37b3ee066980b134658166a2
SHA256 8fec1686b205cf44c33be2c63a992243f881a640d7be3da724f902c6ec69e575
SHA512 984e1d4b779ae1a54197cd3c9f89fa798ac9509f9dc296b8ae551c6c4f8071612966dfa8efee67c39bc74c5e1bff50a23224a94caa31a56b175714f9b7dfc3cc

C:\Users\Admin\AppData\Local\Temp\oEUO.exe

MD5 3cf75b04073ae530d6a961961befaf1e
SHA1 516ceec8ca6e316634241375f24c1484b3a80f55
SHA256 65b07e65c70a98400aa8fe153bfea5545f315085e82dd923c17b1ace686e2cf7
SHA512 f0b4ab8f1c09d0e0f7bae9dcaeb95f78ac2955a381df3b2c6236342a83ab4dbc0608af0452eaac5463e69340231b819abbe47dc12d01f811b094843e096ced33

C:\Users\Admin\AppData\Local\Temp\CoIW.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\Wggo.exe

MD5 223ec3c19ec1dad0c45400fdaff1922b
SHA1 0bde68346606b87dd4139458526bd7d3afbf1a0c
SHA256 045a7b76bca32ef955ccf4c6e6271f0460b7fde543c6acb9d62446fcdfceca31
SHA512 0b0a9e664d10bf3b58cdf8094055c000337fe3d336dd73c4bfde5982931ad70e6ed560ce2bbd1bf6f52d1f39054e0c7b491ece5e9d0387a443f12665116032f1

C:\Users\Admin\AppData\Local\Temp\ukkM.exe

MD5 0cc7b69a88ce80269f4e3000e52a8003
SHA1 3255c4770beb2cba388f411639ccd2c166b39fc5
SHA256 0724160201612b418be3e78c9a425431c3b72507c797878b612031a5a9c3a301
SHA512 7cf1b6ac6ca8329457e973d6ad22513091a5688dddc01d259b72bc99b123208a51c0ab6ae51771cf3c4c678f2dfab94b75b998417afb23a552e9b8a621c19fb6

C:\Users\Admin\AppData\Local\Temp\mIcU.exe

MD5 c8437d4a26d5338c06db9e12725fbe71
SHA1 c33b6b200e306bc3a2514fed375013b0c80d3ddc
SHA256 c3827c1bac0f06876fafd6ba0fb4aadea83bb5f9442eee0dee475e180d08b940
SHA512 cc82e3638cc8e8cbcd5b393de003e5d61858e4b4c48695e80ba65bf7e6287adc15d975e38d7490ed1b92ff3f76c68ce0cd882f1a6e3d6228c6aa10dc2290041d

C:\Users\Admin\AppData\Local\Temp\GkgM.exe

MD5 f55262340b9ac5032b2b502c44220b25
SHA1 6c084f52ca38fc60d5938b4476f71ee60706395c
SHA256 23045133fca7fadfdeefdc74caefa22d54ab89a3ffd6b5dce297c855c810517a
SHA512 5c85a5150d1c43d67e2bc98f2cce1afa00558bc8876735df3ab2a9d4311b0de48d1bcafc35899731a6a3f3642c7ca1c6fc07b044daf1f6bb5a9e9c6ef4b31425

C:\Users\Admin\AppData\Local\Temp\ksoC.exe

MD5 3e71c19b95c6fdf0b4157544d433825d
SHA1 61a026af54739d6fd7bd6247b1ff54e98e4b44c3
SHA256 e8a1bf4e655fff7093bb022bd95092b17c29658a95b969269ef5bc16e79be49c
SHA512 9dda33d28a9b47a0e1205aca0092ff829b868cf08d86a85accf5b92cfc78acb041e5a5e049c6736bf5bab15f322d044e49c7a1b9a797ee585801ec69d3519250

C:\Users\Admin\AppData\Local\Temp\kssS.exe

MD5 48cab26872fcdb0924f6cb51aba0de7c
SHA1 4be6a8850f12f5657f1351793d2c58b6f6c41920
SHA256 26740967e8a1f074c00913a7fe0914180960f5eabbe19c45f17327b1e0e2324a
SHA512 07cc2f76f9ffd0be1c145f2671a61116e10eb8f2dd4af9a87da5ecf15cb52c65d5b7caa044fa7136b94bf102e96abbb0decb217932dd22fd09075a5132a4a431

C:\Users\Admin\AppData\Local\Temp\KMYm.exe

MD5 525c71e7dc337bb96752b48a62b5c1c6
SHA1 c110d221b7085c6e3b15fa6e38862693ec0141d2
SHA256 be8b1c14838dfe9e2e54c9480a56a0ff1c2bc0e573f8a6901b79d277872e5676
SHA512 b461f304c0563a77d283a3d8a9a1597db98fcaf6404cf5af3b1a5d58e0ce1df9d7d0be296d39013aad13006e9d4ffe5ae386dd53f40b227c3e168fe2ca861237

C:\Users\Admin\AppData\Local\Temp\uIwi.exe

MD5 4f4b4c2af5cda4490098e430168f0ab4
SHA1 4b46a8a7025f45928b173c959411b3efa06de219
SHA256 13a4a852d7bd5b602b61a1f8a01511e9b41505c363d8b5c569e57b56ad4f9087
SHA512 1aa0aade646dfee113b8939f53df5960746cd77c4675322e1b5ea06001e6fec06e666ef708101db647b2f90f82e5fde8f048a1b495264f228c6994b30539a898

C:\Users\Admin\AppData\Local\Temp\EQMs.exe

MD5 9e90f70424b90c9058cc66e2d6b7f36d
SHA1 569fc652b204dae6f0bec4d535649d852a72926e
SHA256 c6965e2a30d03739328d14204c829f5a7683705ca58f4623df97bdf0dfc02a1c
SHA512 60bf9cd0b43e6554fbe7e1c9a0ef319b33d86eafb1d29259818092146f52c72d6b3b95bbd36b25e10548b51eed6ac733aaa32bcf6b16bbcfa02b0428861dc43b

C:\Users\Admin\AppData\Local\Temp\iIAe.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\cwkW.exe

MD5 83e29205e11c28e59885b8d843d742df
SHA1 a31eb712dd7e64854e835729598ed7949dd358bf
SHA256 96f9acfa59977b040c3db2765370b7b53bd1235782374b828ce7b43517666bbd
SHA512 fc8d53f7ad48c79bf32158f5ce53a9982de580532be377471b4d73c0bbfb66b486bd517682a539f89cd61efca297865fe9718f9d5ca873e97c38b907b538a952

C:\Users\Admin\AppData\Local\Temp\sEAA.exe

MD5 95714f5245e60ad8eccacdca7ded8cf1
SHA1 fefdfbb94730a8fe425f09e32d2619efe4fe1eec
SHA256 549b0eaf0d010e6a0cde833bacf70b698435cd70ef5669fe557d2e894af59d75
SHA512 64fcf6954526cf745ecbee56f0b258e72f428108654f238386414ad147a83cea78f8ecc8d65030a478020a1ec67bbe8a5c0ecd79a33430518d556951f96541ff

C:\Users\Admin\AppData\Local\Temp\eAkW.exe

MD5 5c3d20d6e3b3139fbde7b61359213d17
SHA1 f0056556ebc167c6ccd03ce81abd46d3f90edd5a
SHA256 47d03587233c612f9f8c44bbc80b8c16445faac98c2b639049d6560438d6bbde
SHA512 5737889de572bfc0a692a9b246adbc5f8f519e6e4e2f2be69aad3dc6ba7aa65ee1b882b4182f60e39f19c407fec94a220cd6f10507471fd612ab85ae144de5e9

C:\Users\Admin\AppData\Local\Temp\Ckck.exe

MD5 ed5b3170ede2bac9afe2ca8b027ec5c6
SHA1 54e968302ddf210ae5c4481fc40045a2a1508071
SHA256 ba4af29567d173e05ee0fd9a2c5c5ad7178f4d37900069dd2167c291d0168834
SHA512 5bab16c7eae535db7576a9093e9a95310b543ed5dc6787ecc75f52b44e7ec046c50cbf39bc07e978c32bb7618aaff82cefe8272fa7991f919e0cbc76d9646314

C:\Users\Admin\AppData\Local\Temp\eYAM.exe

MD5 7e46b743cfa940feccecad8615d671ff
SHA1 56bf64e92ed9403b0d3f229975a1eaf863a9f9ee
SHA256 fc19ca19228d1793ed2660be0a23071733522120cc4fcbc2ae4cfc6708ffee1f
SHA512 c1b9ae9e09978b671738c88beb81474ecf9b7db24e66f914eb1fd7e4d4f0a1962ec94abbb80bd414c061129e9634959edea1bd4041f380664ea9049fbbacc8a2

C:\Users\Admin\AppData\Local\Temp\Cwkq.exe

MD5 a0f5168b5e54377168c842da3689a1cc
SHA1 11a5fb30dae9e29150dd7a79acb3709c55cbe238
SHA256 0e9caf6357f79baaded2ff1ad43c151c36bf7ce416a5d52657b569049f18387d
SHA512 b5a93c248f4edabf4e3c3db985d3fa5707fceb187771207c1e9cb237c56672a4d2638b41cb3645b0b8b9b65ff94688b10e0222a0a228aff6a8ae5c366e20f3b1

C:\Users\Admin\AppData\Local\Temp\YoUq.exe

MD5 6f9c919a09de9aa7874c2e9f1e7b9987
SHA1 a8d49227d7addf9bd0b73cb36a09809d3336e39a
SHA256 c453778f522e172328278ea54b160da01256de8ef70b6cdaba49bcc8e0dd2997
SHA512 cdbd482d3616a14ce589b677ca20903e111d9c0e0f73078e12b304c4b2c7e88ea3e287c9bd23a0b9eb46d5f37325884d723831a8a66cc1a0c4f28fbb4f880a54

C:\Users\Admin\AppData\Local\Temp\SMki.exe

MD5 a3c1b839c3754ce6a539198943e5192d
SHA1 d6671735f1ad959fa723014e1ae9826000413f22
SHA256 a29a3c4633bbf255f73e820c925602b13e4b9a3195242ea507af38063b0507ef
SHA512 37a09b2e776ec603f4a9232683ad9b43fd1a2b9563be239aa6d747fc57b80ddd2819ef8445d5ef4929515c59c17cf7d7061862a07158e063da1650b295275f6b

C:\Users\Admin\AppData\Local\Temp\QAMI.exe

MD5 4dc57bcf2e126661939dd16dcf738544
SHA1 2a8c0760641ec821dcbdc6d3f3f3cc585be16608
SHA256 1bae083f85886c51b93492d7c4713b89006c4ad3a3471f27e922fc956562261d
SHA512 2d12c1941d8df4b54b66859946412d9bd3ceae3641d1d576b9496c2e74287ee5fa80160320a888915c1b06b8b293b195bf2a16637665c6c5ab59d82fb250c99c

C:\Users\Admin\AppData\Local\Temp\sogo.exe

MD5 2a87a074e7c3073de5b2c2caefcb628b
SHA1 ea627f636695704d5b6e722615980cd45de8359d
SHA256 40603fffa2b5615460662b8afcab182a8fac8ac4159db9eca566d2c1e9a8fb3a
SHA512 305290819e4351f1b715a2ed987ae205ef9ee05b4c0f6168b1655076cc9dfbde2aa325504d1bbeb39a895dbfbfbdc421ef57af5cc58aefbccde23bc20ec3b25e

C:\Users\Admin\AppData\Local\Temp\sksi.exe

MD5 388786daadb0e64ece5da4cadea98bb0
SHA1 a403fc12ea9be2aac022d814ce1e823e86b4ced8
SHA256 6ec3b07ffa395c28d621f6ab7bdb99a596585f6d023afaef305e196cea59f683
SHA512 03696a5139cd9d780054a257b39ec647a490704fb6e3db1119a09ff7d18c765e99e6f32b270e1c6ce88525f59b4cda206e8d8ba7e38a2ebf2650ef6f0582b9d5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 d64c5914083f2ae70faef407873666e0
SHA1 2bb4a8d8df28314771c777f374894425a0f4f59d
SHA256 ed50579e00ffa8c8b75729e8a49a92c66e615723e08b475247a4f5c614b6f55e
SHA512 1932b9dff3b295f42684480f8350334d22bbc0b39a894548fb4ad6bd534b385b0561277ab7ea21ad8580574b0b36e093ee0385ebab53b92749c1c83412e95e32

C:\Users\Admin\AppData\Local\Temp\KMYW.exe

MD5 8c3551352ec3ec8298702dc79fb14240
SHA1 e8c86cc0d9bc63574c75cfeb09ac53e3ba9b855d
SHA256 e1d3415e91a692f7f5f5360029d3fb7980ec50aa3b1602b6c0194d8a98699881
SHA512 6484a1b89c926fd006c1f60bf0615890e320febc532dea301b452158003a6b04f6ec338caa1dd9834a9da1bb288226f1e60d35ef04a076d8bdc5569c163dda38

C:\Users\Admin\AppData\Local\Temp\UkEU.exe

MD5 ea30a89451fe93aad23a341f7fa14288
SHA1 45cfe6f779e37db8134d2158d7c2bb60202d29c7
SHA256 86b568a75f92715f1ca3735c62b0cd800f273539fbaf8788dbcc6fb7e3b02a33
SHA512 9188f6e88e58ea57768732bdefac98d1e1a583ae585e55f95df08bfa46b9e3b9f9453f3b0bcf38fb927a2c6aceb9a902fc9d3b20654b6d706673a7b57e33fb49

C:\Users\Admin\AppData\Local\Temp\qgkA.exe

MD5 a8f5ed01738ed432262b51139e18dc00
SHA1 31c31c44791a213e5af1a7224494401f3815ecb9
SHA256 8be92c49c72086de66178d32123fb737e1ceae2194d6413ab234375f4f8502ce
SHA512 0c53fe03fc9dd5444b0bd89dc59dc20c09bc8d8f833028c682ce42f107afc45964d9acbe22c79e461319c84f6f2633c79453af70d5b940be4fc120d5bdb28517

C:\Users\Admin\AppData\Local\Temp\OoAa.exe

MD5 cbbffa153fe6d1a7f4bbe6acf0a7c81d
SHA1 bd4c99ced83afc8dd402a48fac7881b3b7880d72
SHA256 e1e656fb4b63d446d102223c257b7282b5cd97e1aa4480595cf784bfdb0c754c
SHA512 bc41c8e2e5adc7fc91300da5461881b0b9b5a25616bdf60f19c63f9c86490b72b748174f471479ae7d8db25597d06e775e16fed0b3f13ba8cb7be7225c4925d4

C:\Users\Admin\AppData\Local\Temp\SAgK.exe

MD5 506d784090cd841edd0ee7aa83f1ddfd
SHA1 9d040ec38d1a2db19892be2221cc998a147b82a3
SHA256 d916f354bd852910fafd9dcdfb179f5ec1878087c8a694c4a8e2d795776012cb
SHA512 a172e01db5f3f0862b775be4b3715d3bbb1a01596eb088331fabab1164ecd8c72d6716e14f36df7f832132acd6f864b5bcf724c2f89117a88764e6e15f0a12e8

C:\Users\Admin\AppData\Local\Temp\oAkA.exe

MD5 5658dae18ad718525860ba6b6f2c4e46
SHA1 9638072dbd5fe0e7653d5fd63abaeb1396d35825
SHA256 7ab754111315d319502e9e31eba75a2c366d4e7cd401fc33208374fe64a40eec
SHA512 a558789569ee8fce49c8da56206c3468c411b437219e4fd273eed053c080c656ad9d35e4036ce7319fb3bbe02d1311db467e6032890cc8f5322ebb31e687cf2f

C:\Users\Admin\AppData\Local\Temp\AMsS.exe

MD5 b13c5958312012f3effcc5ef1195c504
SHA1 c04a94535046b487ef64c12fc224fdb376a4d85d
SHA256 01d533eb60d3ef3e6340d820cfc878698bf00b0c1775f688e5513c2bba72aef9
SHA512 8d221d84cd3cd4fa7bdbf6639bf1e9a98f6362d517c894170b63c494b4cb3be56d686b4be77870061819abf8e2a778d501da0ed1414bd7a1f1e0709f6f5304ec

C:\Users\Admin\AppData\Local\Temp\EUsi.exe

MD5 345df869c867df114491c2b76203e31e
SHA1 693d4aeef720ac65d74598a6f347fb8f779627be
SHA256 683f1aeefccd9ea64c42fd6970c3240f9a085597b2177209d798ada6173151c0
SHA512 bc982b309ad555edda486a0114b0066b99d73fd4a6b10404ba34fa48f756452797377c48c623900ba975a447754f79b693a64e330fde00f4bf7ba576fdc95c3e

C:\Users\Admin\AppData\Local\Temp\kMYo.exe

MD5 a0be0287948578f34ed9e110c729ce57
SHA1 7dca3a5ed84df7be719ba4ce0a2fc465405e3bcd
SHA256 304fc0356ba8b32387c2425d339ffb491c07a97f39a27fa1001ef01165cee9d8
SHA512 10d024929a3c07c26f38eeb85057b32b83f70ac55b6beb9002556bf29eb8e93bc94c504aa8ec64b3fb1f7047167af7f1b84ae6f2938bb8435a753dd7ab8c79cb

C:\Users\Admin\AppData\Local\Temp\qssa.exe

MD5 f1e680c7be082f358d25235fb231e46a
SHA1 9bcb6b45bd41d4ec4b38d56dc3b9e9b922943cdf
SHA256 f9cbfac630f59f00c5f906203e77579f889d131c959e756d7378f4d0755d5334
SHA512 5285401133d4a2a8b66b360e57ad5b0f7ad584e30ab3ee782d4d35569213e168c76f4b1a4c43af8209190c40acbe0378eb07fef8a1afacb56fb2820462296b2f

C:\Users\Admin\AppData\Local\Temp\ascy.exe

MD5 d15dbb0758796504d4dd6f3ecc410aa9
SHA1 380b797ea04048620e490a09ce144f9242bafdf0
SHA256 61d2488eb89c48d68a34f36d2a26123c388ab6f9f2bc306a9f0ebf9f6b55f51d
SHA512 76b44c8c7a2bcee450167d1f71560fa1738846ed0be5b4fd411dff141e1da84618c2ec76e11949507aa0f0d938a422ce044f51885db2b7b689e9198222107f37

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 4561d6d04651701ca98a1646cf182186
SHA1 ca929e8f84e36f9833c2d3253676c9d47763e81a
SHA256 58555316ea70037c02bd2818c121c974644a6114471bf0cba0561720448ae8b8
SHA512 d537b3c1dafd192cf62b9bdc39415049c68684d1584a5a75042d8865b41f441310180851be6835563389a879ef4cd85453f2d8d13b7f0a81047cd2ddad7a00e9

C:\Users\Admin\AppData\Local\Temp\mgwe.exe

MD5 c667dd6deb213a8aa1ce5c5a4e7f2999
SHA1 682530404406c826847a2750831c0a48684cdef9
SHA256 2b2cee76f824cfd3b6a770f8be28d4ba31847ca76823d9d46f3fcd23e2183b7a
SHA512 f69b186d120e4d12152c453c640fdf095b81ebaf5e35f31a837a4a17f0caaeb7675d8b459f3e58e91249593b8e4e413ff1c397ba90048e1cd8053257ac330652

C:\Users\Admin\AppData\Local\Temp\QQUS.exe

MD5 055a0767fd7cc5788e80177cf1fe434c
SHA1 30c2cf719cc87e0d10e427f172a01036c8e45c1d
SHA256 780476703e94ba01c94d98896ba4e5ad57a35d6e3b40363d94792edcac57d046
SHA512 30bce0aaab327b729d3276c3c5641fb9740746a56555a3c2dbcd9dd1b6ab7687c1d7e05ad47d34ad5062f54c43c94510804bf95cb8ceca0d77bb3719af625717

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 8863a25609bf4edde4a0f13d4faee9c2
SHA1 3077d1d321bc681a2e8e8347ea25c9554d4640a5
SHA256 044e4ede9db846beb3fd6ac5bc0b6f435e9a3a2daea90555f0687e4014fb0f57
SHA512 75572da518e3719cc9cd16ceec58cc716232ed7c53c9a641cf066c61094219def73179bebbece294d34ab2dcc892fdd70d3f60d4358f13b333bb007988e8e19d

C:\Users\Admin\AppData\Local\Temp\cgcg.exe

MD5 89e9cfb4388e7d9f084616552b3dc506
SHA1 dfb540ed566111c5114dc98a4f549cb02b3d4698
SHA256 6ffcfda96198e74fc20e006a8c4fd788df486bc775802025f99d639627043a94
SHA512 80383e5d2b273572508d132be903e7afaa5c4ebd24b18019441a3326d2e6133de3130a593ffc57ec346c13e0e257ffede89cba612159e06501c19e6be708ba26

C:\Users\Admin\AppData\Local\Temp\CAsq.exe

MD5 69bc99a56b4fa6ea04169f4ab006909c
SHA1 7823a7005e8e9934349dbbfc741dcd60f3f2b71d
SHA256 895d4fd52f6430fc622ccfbadc4a8b4cb49208168d9d29068b08c41a50c8e2ef
SHA512 fbcbc1c8126d9f77f490a31a5a424e8af35b660babbf60299f31a7c4bde72f2d53068a58a931fe3c230105f65fee1dee71d8c8038d74c772381aad048b53f3ef

C:\Users\Admin\AppData\Local\Temp\AUge.exe

MD5 1a8cc7e5b5ebc59a5c6b867e17a616a1
SHA1 49ddb55cb08fa832aa01e9f99afed82804363b64
SHA256 c82b305ac5c779a27934b74770b4dba26bd29af6f8c876507f1d78a1091fc7fa
SHA512 eb121fd372aa848f47f033959efbe39bfa07f088c107e7bf379a76d0db885ae79d348b7cdd9629fbfc6c6e9460bf6521e851b30f454de60db2a2fb527c563428

C:\Users\Admin\AppData\Local\Temp\CgQK.exe

MD5 678b8fb1504568fa159fe64cc4c0361d
SHA1 3c2c4316b94665562a18259f2b45a7e5992a2512
SHA256 ebbed2172e7b0aaf7c6f190deb888452d985e24fa96341a82249535742213d5a
SHA512 68c2ebbd87ab1d78c11c1e6f49426842b9e6f7c7dcd749ea3bd659dabb4d22228e4bbc2b0653e5ffa66312a3e1118ffdf743026476be8b30bf748642da69bbe7

C:\Users\Admin\AppData\Local\Temp\CAsu.exe

MD5 93cbfdac49d4c7809d750eae6e352706
SHA1 7ab5cb2b469b7c34c0200e948a969d57e4d5b770
SHA256 6719c530a32dfe43db0025a782888dfa60b041dd4048edcae3886d36b6b81370
SHA512 928469f3bcef73ae6a691326528060774fbb1dea62623f211b690daa8c7ad18e694ceec8ebea92857fda2ec01340c6d84ed54f45e25df0e60c74b5cb3520f25d

C:\Users\Admin\AppData\Local\Temp\OIcc.exe

MD5 fbc989583b138afa46746b5e19d5e5a0
SHA1 b139a6c8af7e61d171bd5f2ae26c6e4b0e7eecc3
SHA256 857fbd441522e6f9e6037b9e31e665451f213220109320bb31faf5fadfc0bf0e
SHA512 6dceacb35b11b2136b176203f9857c4bae742f0230a20a335e0b7830084887cd45a33b0a65ea9c8e8ebc1c4945222b1f8f990f7b09bdbc18e8dd26037c866dce

C:\Users\Admin\AppData\Local\Temp\MIMA.exe

MD5 c60778eed00439f4ee33b61a6e923fac
SHA1 d96356fc2690798193c47f586550178876c6e1d5
SHA256 eb7f96cab929003f11f4fe890152ac7cb52b117ce34de05ee07d6b110fd5e570
SHA512 1e08aa9a2a45308459d8bcd68e1e0bfa90bee8bfb6b0589b717f2d9843fcaee32851ad4d711e7cb8f9ccfd57d84cf8052c1742a8cdd8b19664780f9c7f178ef4

C:\Users\Admin\AppData\Local\Temp\moAQ.exe

MD5 4069b6a79fd3e73fc2ade0050aebee32
SHA1 0078de3aae6c912715d5b896bea200927b47f916
SHA256 a6a3481e43a45cddbfc4c7eba612ba94322a546a591dba17ce8332e143f61005
SHA512 3d93efa5b49125b4f58fa4b47aec90a2557600180ceea2d4ed10fe550c557820d2fbd6d102a8e4c4de5d3e389aa27199f664cd985f3490a722fec8ea2491a6f7

C:\Users\Admin\AppData\Local\Temp\yEwM.exe

MD5 7f1e667bba2ba71c6f570d2dfb85752a
SHA1 e42de50d5b2d436746296d53322788afbdb1d466
SHA256 8f2f82da0fc27eabd202b3c475e9c8dbec55c95fe157a04af6be5b8dc6ff89b9
SHA512 18bcd947cdb3b7ed40cba2e763fbb5a54b490cbf5df4da03e38a143a1ab11f06e9d0ecf87434c512724868943c059579276eaa11ce1c323153066032ff5dfcde

C:\Users\Admin\AppData\Local\Temp\gUMg.exe

MD5 7c0c8c6951ea651bcc984aebcd7fc0de
SHA1 93932a86ecf43bcf53dde2eeb8dd108a8b1c6799
SHA256 d246669d10497e4dd1bfdef36791a0b56cb621db4478fd64e0a00b43a101fd76
SHA512 735755b0d9a06400192095455499d0a5ebc77d8c4660de3c47890463fdca0b323354b7d545ec59c0a11d93cdee075eb9ac0e4442eff8bc6ed6171c8bbf840fe0

C:\Users\Admin\AppData\Local\Temp\ykIM.exe

MD5 d9872bb9c3671dbabc25ba8a9f3ca21a
SHA1 a329c4f392fb2eb36164025169bd438b3f6ab7ce
SHA256 ebc694a4700a5eaaf6f2542f94871c84cddb026da94c0ac31613983cefc0a8e5
SHA512 a10179ec7a6b8ea30497c0e1c4196e94ab2f9380527dfcf58c658c264160e67c8d360abc26dbbfefdc0c623f38222bc982abd41b5dce87c32810b8cd34b4d66a

C:\Users\Admin\AppData\Local\Temp\MAAY.exe

MD5 9b6d98448b2b47ea092bbf8fe7516561
SHA1 f79529e2cd4a480e27ae73998e0165c279cbbcc8
SHA256 8b42673b223da088e86058f8f8ea6a3c727db4aa643df8ea01064aa09d723ac2
SHA512 2ba164fed91bd6c8d9bcc7f51683b0a3509923c12c2e78bef9b7b9200f7a1c294f53e916af2f101eaf79593d15ddafacfe4655f2698718899fa21fd59059aef0

C:\Users\Admin\AppData\Local\Temp\mkko.exe

MD5 6853898bc40193b055eca5ac3eff55ac
SHA1 01327cea1792fbff3464c0c0540f6360b0ab86f8
SHA256 a13aaa3b5faef7296aaaf9460c03c68ed3536a4860c92fd7266248d9c4be2da8
SHA512 729112f7c50b2dafbad6cdbf1632d55183fc947ef891a302b6251060a081863dcaed286c9b65328e41145ca996b46dcd7e351ddabe9f514b24d884e0e81229f2

C:\Users\Admin\AppData\Local\Temp\eEsG.exe

MD5 1ecd2bcd4f23263148a56e81f4ffd763
SHA1 5597a2992d9d7cf421defc7ad074ec9b38656928
SHA256 43d8b566b90baf7cd96a1c57241eedeb87657a2ba1a1ed7474b5f54fb0fa6e75
SHA512 4fe078f07823cf95c5d3e620d888476169ff02226d548d5421545355febd4717cf1f5664663fbe948275a649a8566dc4fb110d46959ea5b8fcdfbf4d75d24006

C:\Users\Admin\AppData\Local\Temp\ksIw.exe

MD5 313e0a546f01e781cf074d0f0c608845
SHA1 4dd60753cbd19f91a2f94c96ab1777d27ea4c1be
SHA256 236205b792c4ecd7aa6fd4f98ab3b9c24ca082e7aaa5764e48dcfaf5440450b3
SHA512 ac62f2857a11120c176f45ad69e4b2774155fe7e4146dbe3c562ac074195a83ff42af9a2a61f011d7ea90f08d7e6a5a6e253b40edd9ad26a35072d8e3d8473b9

C:\Users\Admin\AppData\Local\Temp\ogcm.exe

MD5 2d604a1faf50a051de4f93e90f6515ca
SHA1 711f9c26825ba163bcbab2596ad2817ccb95c46b
SHA256 f963a729c49fdf90341ae2d9f8c57f2dcf802d1f141d2027d6fd59fe57263ae2
SHA512 e928d438463b0a4ff0895a054dad98bdc4c521d6a22625d03348fb04c1f271bf36fe4df92249202c1c6702f9314a76c3c29125fb5f6703155a36efc48bbf5e77

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 06dcc79eac97370f2ecd2aa1d08f229c
SHA1 1acae3b1c5f7e758b31f50442572a966066ce4f6
SHA256 bf79eb35a8bae74dea924822cd48c8853d1cb99cb06283aecec306374b9e1121
SHA512 648755f3b340c47a27bbfaee6ad44c31774c5f31c6e12c0485ae33b06aa0e5c98a2d6f971a6b0feb53fe82fe534255edae5d4eea01c17be9a28574ddef08d9ab

C:\Users\Admin\AppData\Local\Temp\akIS.exe

MD5 cbdbef5c7cfe9824a44951d0d43d3961
SHA1 fb4bcb0ea2c01ec96ce0e98a2cc4b8136c0a5611
SHA256 e7eea547366cd629882ab38b97bccba297baff564b18d4103b1bc44c4e3afbd8
SHA512 8956ac26a4b5952301be0348ada4bb3e4669b6602915e7d42251cb15036e6a6baf33e9fe9aa55a987a3cbd26f8e77db6973d5457943510830d4b817f0966bbc2

C:\Users\Admin\AppData\Local\Temp\AQcI.exe

MD5 7e160a9acac73c65e68f6d16dc45b6fe
SHA1 6e5e3e2f80670eab1e89a468ee8a3561a18442cb
SHA256 fca3c1b210de9be00add3336948a81e59e1b6a68385853df1f2fdb4a92f1d55e
SHA512 a153ae1639727fdd2cb5b3a4a55ad22d69c8e6c604d5738bcf5250b37d83d03b3682d5da21ef45fcfdf04a699ffb2db6080faa48fc14d6fb81f25e3442dca14d

C:\Users\Admin\AppData\Local\Temp\QIwA.exe

MD5 0f45e13acaad52eeee20f9ad308c378a
SHA1 229878158cec78c05a464ebd339e8a698202144b
SHA256 8f3113acbc4e27b585fc5d58ad30212904d4633f42c2ef0d3e47a588b3289be0
SHA512 1e37a73f05f5cf405621ca88c5ebd877f14c35009266ab0ee142789174d35b7abd85b6fd0391406c34d3bbdb6f8236f0bd0a5e2f6e259f3c13062447273e5ed4

C:\Users\Admin\AppData\Local\Temp\Uokg.exe

MD5 a1975b9215e2a429a418ff4d7f816c0f
SHA1 9889ece44e1e8b712b7c5ef2bd3853ac1b89d265
SHA256 1bfa4436477e164ca9661f04633ac01651a8d77190bc0f3f665ee716fe15e5aa
SHA512 21ea5e440914ed4b0a20ee63c217c33a71d51cb94f53aac68acbf8cda4cdbc10da2b4921a9d50de2d9f78bf2ef0fd6fe7431fea786ea2b06b9d0240e096eb636

C:\Users\Admin\AppData\Local\Temp\Kwca.exe

MD5 c90c9888c0e2a660663e54b9de5aeaaa
SHA1 dc969577c3139a09f41fb0797803622b06b53207
SHA256 0db62b345a8138e52317b1d475c8472f57d96c50139a9421d3ccd76ef54a4d26
SHA512 6d5afd8cf40532e9a18d5ba2f1ec57315e66d419ca3f5fbf77f6600557f1de891e3bb81be854f8fc9336d6b543dcb9230050c910ddab48ee8b6d4481ead8198b

C:\Users\Admin\AppData\Local\Temp\yUsW.exe

MD5 fc196b06cf0572f0c2cc88001d5a14fa
SHA1 d0a84e6957531ba1f2b052d9bea13a229a94dd7d
SHA256 dc93f95e11e456299220637bf0a6db5304df6db0fe9f2e824570fb1191a8842e
SHA512 234e7deb0770a7f61850a2442bfaf5cde476aaf99399bef37ee13d9cdd25ff883dc5fd157d1a47fc14174c5252f02f780cb6bd08b4a77d0aa0fd800fe71df78c

C:\Users\Admin\AppData\Local\Temp\uMkA.exe

MD5 0b5feb6138f1611f75b3012e111a84fe
SHA1 682bf45cd66f4b0e882db49c39192b1dc2e91cb1
SHA256 88bf4ad32d6195c47aa072f38ed3224dad33ecacf829850e46799d9763e0270a
SHA512 e7a1553eae8d78392de64173f3a676bb1a27d18f55ca34e4705c886feac1ba61b65b9b5480d860d61b1ee258d34d3d1974e3cf97b4e43da7cece246d78fa31e1

C:\Users\Admin\AppData\Local\Temp\iwgE.exe

MD5 7d0305f5d371e3c84c9f380fc12b577b
SHA1 446da70f744fae4718fe4093d756b3ca38836c24
SHA256 dcadf0de0f107551b78c98c546d4be3f214960cf33f7f273aa476123287d7905
SHA512 30b344871819273e1cc3b49d15b46fcf6a15a1f736b28ac64598f78b998a721d2378581ce2089fc70dae4716bdaa26e4fc6654f91ea4b2bfd4168a498909ab83

C:\Users\Admin\AppData\Local\Temp\SAUs.exe

MD5 b55f3336272a80041555f05350ccf7cb
SHA1 a8c989a4fd9dcc00aee3b3ddeb843a3419c520cc
SHA256 3682cd1be1d93e8ce92bc9b2affc5ea71e266c29e1bf92768da04cd7dcfeec9a
SHA512 a407953ab57cab820150b8d784ae8a59f665c44d6e514e6f7ce69a27b4f42fac86042979f487cfddaeea96b4db7bf83ff8b91436b2fbe5405fa0e17ee1332e68

C:\Users\Admin\AppData\Local\Temp\ecIM.exe

MD5 1a4a5cde6850fe5e8355a49944f2e520
SHA1 a58cc012e2f6ca4c8b53c0ecac133da88f9e7685
SHA256 a5397940d383b29fa3d340ae578e87a55d05b434557f983b615f298608961e19
SHA512 02d6828b93a00f4636584c085056ea285a4817efa12978c0a2de2250ef9631ef5cee832c08bea7b5783a8ea5b4285db09c02346b3f5e45c3f3272add63903331

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 2e28ce4640d05b3faa21ba64b53b9f9b
SHA1 bd1ff7b3034e7e4b2101e93b556f74c69ed606a7
SHA256 30cd6785edd518b74d8ceed07baded5627e8fd42e33db3238ef25e1098b1d3a0
SHA512 b4cf64a6341da5d5458b213b95cf2632b6521e90aa098d825069fc9b5f4027f6a49d966969547b910fcdbb5bcc275250139485ec2fb8213b3a449773595625bc

C:\Users\Admin\AppData\Local\Temp\mUgI.exe

MD5 306b99b490a8578bb0848ff35c171900
SHA1 b0c79ad8b049c2b608581351e6a333dd53a6c980
SHA256 6ee67528bfca6aa7c711f4a7a7a8cdfe455ade2c772fa3994f5c4c2be9fbe592
SHA512 79a61cbd2e28c3569629418ecee3db3b8f99cb0d45fb92fbbef820f36987538abbfad7a4e992b50f5b75abcd9fa3786ea14b82850d52d68c677df71337daa25d

C:\Users\Admin\AppData\Local\Temp\sUEI.exe

MD5 12cd80b56605a1dd1e5c710b850e795f
SHA1 fa6ce5fd1795513a5e2aecd60b17c9f508c95b95
SHA256 a475e11d0d647de81e54542f81c0071e128338fbce3301bbbef8f7e6f116becc
SHA512 93f10f9ca7fb5fb53e95b7c7966d4dca5b1866d35649a3baa757426dfda7fd44859b2f98a58e1466e009c5990f48637910c35db0eeedfa1b8b8cd4fd25d180d0

C:\Users\Admin\AppData\Local\Temp\WIkc.exe

MD5 a310956ae72f236b5449fab602ceb742
SHA1 c15fbd1805942960ccdcb878093a7810eb6a04a7
SHA256 f22a0640f4e841c8954b5890bb5565fe84d96569095565f8d22a0a7bd105d484
SHA512 3b510b11cae440181063567253d1d0fb3ced55c443e0f5a0176c877bf57d8534a464d7c5c4b99b9017602a9b1b6087476bf17e84dae377f40f8854fe7a5162f4

C:\Users\Admin\AppData\Local\Temp\kIQS.exe

MD5 85a28038ed91cfc2f011590802413345
SHA1 3598467383913a686f123b139cd49a5076264765
SHA256 4d018a7eca7ff66161a7bff5389841ad46c135dd911755c83d4437d97ac19dff
SHA512 27ca75b54414a2b8701bad8aaf33edec697d823ed200a81d1bb958aedd9adf45275c8abacf15e1550fc933af91795d85096d4783c092ba57f599050c65b3a47e

C:\Users\Admin\AppData\Local\Temp\UsUW.exe

MD5 bce31c41059c98e8f2ce9c6eae0b00ec
SHA1 6ce1fb751c34c351662df86ff1ca97f1f001e581
SHA256 eeb7de53f39e069a349cceeba119e3044f6730e0a0574b5fcb8fe7a20fbb827f
SHA512 55f4764c8db9a0d6519aa86f84c438d31c23a3a7d0e3f335bae0e2fc315a7fd5d4fc6ffd276b52ec6caef4f3b302bc0c957884dedde41b5b3fbb1af5094ea9fe

C:\Users\Admin\AppData\Local\Temp\YMUo.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\wUEQ.exe

MD5 d31893b6e57f8be60d05526d4a0b0d64
SHA1 4a1d857c7221b493f90daa6122db363ae95c92c4
SHA256 852c54e6854d7f1875e5709c763ee1f062d965da419770f4fa21d1456ca7b0b5
SHA512 e03500b5b76d3b8eeff812594426bd4e419375041b31766e54b4059bd288524ef23ac5253265ad5dacb19e0d043cc561ac6b9f4ea4ab4ce4bebef35c5849f211

C:\Users\Admin\AppData\Local\Temp\mQkO.exe

MD5 535597e09b838d3a11e5e77038fecbef
SHA1 6520e6331758dc418412341be268731d4f887961
SHA256 e59a32a6a5c2a3ff9ca1f5e3cadd8bfc617da83ca3be3df19d7d9e686aa53c2d
SHA512 3a3539cce240f3933fe91347871fdcba5bd58a6beb5746008df686e61a28b69d480bd33db3622b220fbbf923a984507664b440ec5194b4807ec67e914260b198

C:\Users\Admin\AppData\Local\Temp\iQIW.exe

MD5 f9d7a58dd452ae83ae2997491c90f612
SHA1 d166a53dee0b9df25a1ab32a8709c964bedd6e71
SHA256 558275aa5c2d6dd041f4cbf99412136ded84bbe881351f0bcf6b363ed76821b8
SHA512 ce9f5d47c73bb823136018bbc2821b348857269f6e7d9818b6c40c42c25729e6c7fdfaa6358710a19fe730702f93a9a6f00fec991763adc96c4955bd04dd721f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 2ac6e3aa3c4a1f69be0c94e0b9ba8bfc
SHA1 d12df934627e399c099a493dd7c340a423ec8441
SHA256 f53d1521b573da1f460d16128ce07e7b6f2331c2e6af3add22e57974566a994b
SHA512 2df421e9512dc9d30a7f5f4338b562ba7cb6f236726b6adbce45a70911675a1fd4351ef8a757c327dc344c1b136802d5aa451d7d982e1228af7f179c83af7989

C:\Users\Admin\AppData\Local\Temp\mQAW.exe

MD5 0e798069b5bca36b48ce8aafbcf6ceb0
SHA1 1d391184336bb27537e6acfdaf9ed1fec094f264
SHA256 d0967a92ba5eb1b69c158214e1b1e3100c3ed0b7e5e3381716387862952b6a99
SHA512 17eb746092e35c9d11037024e21d84596d61838315166f4fd88db0ede6d155ae600922aef002063092906591e651c1e44452bc11916fba6d3e2a7dc0422c8560

C:\Users\Admin\AppData\Local\Temp\IEwk.exe

MD5 0f1ca3916c2342113284f810d50a2f7a
SHA1 f0ea815fb98e9dd1836a5cb9ef17073f873b1f86
SHA256 8cee9a6d154c99b936d03e2c5cb524a54dc37ce4d3a1ae77689553c284fc6478
SHA512 6c9928703cb8c3312789689a3c528aec0edcb2df196b5403b19cda905644ddebf7016cc54339195a9142f1dcdfb9c57aa03a911569cec332fd19818fe88d9259

C:\Users\Admin\AppData\Local\Temp\QAMy.exe

MD5 4119276c2c060e1be77c1c70ed7c003a
SHA1 030d7096e5d098e2bf8253203b413e113d94e404
SHA256 e603be4ebdd4d0532973d6af4c771024f88d2a5cea2862f0c47b1ef25369a99a
SHA512 80dab1f018a38a6e6af2496f7a4b7da585ab31394ed3046ff1680b33e96d5e578a804e23c55640e1349ab8fdcde43d8df8a3919bd95781405f4e0f7772384057

C:\Users\Admin\AppData\Local\Temp\aIoK.exe

MD5 268b821e55c2d5bfa476189e63f7d78a
SHA1 3bf8baf02f7901baa57f367588595c1779405862
SHA256 a085979105086f251eaa8ddcdec2e8909b3b9dc605bee5dd331534da7b93ed6d
SHA512 f6550bf592a02eaf679ff3efdcf0db4fdd86e3eb289169a806a3736527dd1b3e9e13bdc5cfe40bd999b48eaa433447a91bc23b0ed4f2a898d379f30470ee0318

C:\Users\Admin\AppData\Local\Temp\QYIk.exe

MD5 86a61acafe3fee785dc531d86aceb79c
SHA1 e0cdbcfbb1633e9cd6b0362215d1017a0abd5eb3
SHA256 bdd3e67e8e05fa8db0371cd0a8c912edad4519be735f5615d28796fafc9b0922
SHA512 25cfd4c095c80a58a2f2a6029768ca8dc3315ba2e4e9721ced69305412164889d5eb829a8d48cf56baa38f6b19d69171ccd7f8931694a70bdba871cb65cc2562

C:\Users\Admin\AppData\Local\Temp\SEMy.exe

MD5 a92f895beaf7c61fbdc7ec898b2270e4
SHA1 90a999012f63a376d33c781547329d79cba248b3
SHA256 e26c6cac5b93b8b9541552b41ae3a9d43130934d4a1c3637afdb9f3c07298faf
SHA512 1ae42ee3407317785e86de17644dd73441262ea60132fdee0de105a91be30a958bb5442ed05dd8b3035cbb3c4550aabeb641861b182494a725368b3cfa8f3593

C:\Users\Admin\AppData\Local\Temp\IkAs.exe

MD5 9a229974a5fe0c844abb51126a62d8ba
SHA1 29ba4d4d0454959bd27a3e44a5dff1a809f0a305
SHA256 290396ec42d82bbaf7a7e6865ad2329059ac11802ad4bd06033340a5b3647e77
SHA512 b9744e026a0ec28343e3f7a853e6f1b7bfbd2462f460c8fc0550571613d7ee386639b323e381aa7624071b844c72b6a79e8da2a5869f92c10808f1f1bcb0228e

C:\Users\Admin\AppData\Local\Temp\ssYA.exe

MD5 3b0e86a833e757ec38916106c1d9e06b
SHA1 83b2ae1a5da80ef6bb0daa7a53e4dca74bfb47c7
SHA256 57231f7991467cc6823824f064536ab533711d2e62a74ba0a1318956a9e0ae0a
SHA512 c0a59f02944e29073101047447f15ddc0d3f141df00bb249f40ae93871fb73a1f2ab24f290ff6dc0060bab84936a87359c7ca3eb27d6fe6ff337f4b30714a85e

C:\Users\Admin\AppData\Local\Temp\cUkS.exe

MD5 6113f03c7dcb843beb9cd900eb5a4569
SHA1 a8bf970aefa72bbd7d26dfb9a6a1e576030b51c8
SHA256 6a69a0ffbd4b83e132c736d61b4ab5457c15e059dc99614a5164b4f64e6348bd
SHA512 03c0a0eb06df7e13eef586b6028ead7a10b4c9fa95e2ec70e9cac042e7fe36527365759738d4ed3475c270e4cd667edb8a0bb243a8beb9e26b8554a565220879

C:\Users\Admin\AppData\Local\Temp\mkAS.exe

MD5 e6070f56a1bf39e448e53d065a294398
SHA1 67d4affede3f735cc6f536e02b8fe72365680038
SHA256 4f629f25a8504659c70770e94b7baa2618a1e299e65d603b830c41a02c9dbc0a
SHA512 fb727a38e9421e26dd5aef0f2179492def072bfde50861d9672d311544f4e317b557f63281cb835ed14f30484982b555764802db3725b3282b5c4567d7f68551

C:\Users\Admin\AppData\Local\Temp\CYcM.exe

MD5 e34dcc1af6e9fae09baf4b8b6ebd0777
SHA1 371d438d10bd55b0e9dab8719bc2d4ef313b58ce
SHA256 d69d6347f2ee595d38132a1c172a344bfc872a3168aca8e74d56d3a24983b7ed
SHA512 11934802d3eec0e2011db20a5dee2e775b21994635ce3b60543adb6ea4bf9e434cdb56bdbcc91142b488e98d03cadd54aba107cdb2c7875d1d44dad36aeee25b

C:\Users\Admin\AppData\Local\Temp\agcO.exe

MD5 d07b15c31abf2effaf803464fd871576
SHA1 a2342504f1336edc61e362ac6875e8525d0aa029
SHA256 910f0fbab2a192aa02648331c6d2aa5755c23d02f2eb2df75518369b4dffa7f1
SHA512 9208b2670f2d69154ab102f7e48843d12945124d6d89ae933dc69fc4827ab44fad95c1b3cda0acd7884367a595d3dcfc78f51df1b931bfbbe5b58ad963747b35

C:\Users\Admin\AppData\Local\Temp\cIUk.exe

MD5 c4d0fff6f1bbb55ddebd3ee123531bc9
SHA1 4bdf9ff4d9e6d16a965ce9690529735b92cc78b9
SHA256 aaef2d1669e7d99dd25dcd7090f2dfcaf5c516088a1165434711a563d6d56134
SHA512 ed790b0fc53cee9944c6d655d541323857ea711cffaaca9cc5ba4e0e973c04e16cde0320a369d16f62ef2f6b5d753119ccdadb7398557371104d3de0edb9fa61

C:\Users\Admin\AppData\Local\Temp\GkIk.exe

MD5 e7122d67a4bd15ea289b14c29698f2ed
SHA1 157b1678e14534ed13291c3230f2c521c7e4debf
SHA256 5e7c613f578107dae8a4306d7a8c6423e04f2cabf63b3f4d2c42490ef593a250
SHA512 c5b18c53f4b4e27d531c5f8e984ea1c1a9eefa551386a1a6f80a3d1930074b9567f21f1c5e5e7fde0048fbbddc044445afa071ba9cbb55a42133b510dd1ffd9a

C:\Users\Admin\AppData\Local\Temp\mkMc.exe

MD5 176022a1e16cb813fc577e1986aa3b2c
SHA1 cdc89b03963c2b7fcf5cfb7495d018d800ae223a
SHA256 6aa2bb34cc6c804e08e1c0324c1b1cdd0ea9971fbdda0c943942ebe712f34ca3
SHA512 429466c78383e381b17cb1268b96415bc518723c27def450dd45854feb33410a488f2211d248b3a020e90fc4f13a453faaa6d5e5f1908913fbfe0fea1deafdd0

C:\Users\Admin\AppData\Local\Temp\GUEY.exe

MD5 5f1b01a11f8ce443eecdfcd854242a05
SHA1 b97267f255499a11e340edd84338dcb8d8dc8a6b
SHA256 0d14e870bda76ddfba5ad669d436f00462724df36a8c49fb2ad788e7c9ccde78
SHA512 dbce3507f4a8854bbf7b31d75e0bece67c9dd7edecef35cecd35fa2654ad9b6be944a632c063daf4abc5edc8de3d25b19cc6a34953f7d4655ac885440d3c971d

C:\Users\Admin\AppData\Local\Temp\scYK.exe

MD5 74fc2c204999bb80d8c9bf1cd81817c2
SHA1 7ec1fe0ffa9666652e39dce78d884a85a57c1274
SHA256 f1cc9f04ac1b2e86b14ea69427791ba4fe72a90ee763a87ca7085186c3031ba4
SHA512 3f5f28b3c2b56e69ef1ff75ecd44cd5ae354e9e246ec663e03048d7c55b2c513c43ad7fb258bd132f74a65fb3551050c138181e9282c6e1dd9f673aa86eea8e4

C:\Users\Admin\AppData\Local\Temp\eEME.exe

MD5 e3ed97223711f6d4507d60146a50de6e
SHA1 ee059eadc80404dda9718988ba86d59706e1dcf6
SHA256 fa19be588f04ff22043d2bb4235b70d07d9ccfd746c31daf77f3ac41740180a3
SHA512 c29ed2c89c9dc69ee250612b2e9aae22bb979da6da6c837ddb6fab784c448662426479ac9a8b2a370cd55c90d51e4ce658adc9dd736c881e09891d4a001f16b6

C:\Users\Admin\AppData\Local\Temp\scEW.exe

MD5 2e1ebed78be86c978de136cb31b3861f
SHA1 529e15b6bb17cb4f016cacb3163f57ed3fa4299b
SHA256 dc35f05ee74fd072e75c1da926bbbb7dff24833660cbe121906e6ec59b9480c7
SHA512 f135ea4ed469886d71fa8c962cee1ac52031210a3fae036d78137ab7009bc51848ef464c0b27ac8a61cd06e69eeb3d1eb378734e7c68ec90c1fb25fe5d664697

C:\Users\Admin\AppData\Local\Temp\SIog.exe

MD5 ab827dfff77a80e778caeb58437e903f
SHA1 3568f6506b1a52720c423f8419f8b686a2fd6469
SHA256 d605d24a1a3d68fde283c7a1d2dbcc16cfe5b226688f3e2d23e29b1575c3b9f4
SHA512 f467b58bf6e59bc99813f9a55d3e520d7bb3bf8cac3bfe9bd070770265c11627dc538bb5c15e323d172b6fc0fe9514f063fa025574e8564e3771d0d3f7bda24d

C:\Users\Admin\AppData\Local\Temp\QQAc.exe

MD5 9366abd387dd398a527e62dcba2f465f
SHA1 dff8806d1bb559a1c772332de31cdaa941672193
SHA256 6e1e0286d66832f97c67746c85ba64ac92c98ddb73bfada7110bf7be789653d1
SHA512 b9351e543230c76dd16288e87285a21fa65f11ee1617e3976dde46adc707fd5cc42f61605fcfac5020a0f6bb9753c8a8541b383be9ea4a0df5b8a21253e7c380

C:\Users\Admin\AppData\Local\Temp\uEsw.exe

MD5 4a7e236c1343480d48e8937ada843b8d
SHA1 fcf7d27cb67042e63b98fd2c52d422f84939364a
SHA256 0eac094d732890c17025fda678a723ed98c9826cb68c7057f1995838051849af
SHA512 8ee8480b7431c8598b002f13c836157cdcdc2c40416f1438c8e7fd74d569657c91abf44b02cc9bcedbb0c79549bde35840895d25a1a8c4950b29007ba820db72

C:\Users\Admin\AppData\Local\Temp\YQEu.exe

MD5 1fbcefb81b0de67ea6b32844659e57e0
SHA1 8c3035f2a28e101bfd50f5691e8c639a664f0a19
SHA256 e7bd3496c751ce64821a5377f7cb2295a204b03a6dd2862d16db72538bb84138
SHA512 b7edbbfaacc808a2c27d879da54c9459b8d14e8431e3b9eefe5bf601a1860d648ae5d3e69abd65596388e7095d16d337b41850eabd987516b2e6ad4293b3dfaa

C:\Users\Admin\AppData\Local\Temp\mwQC.exe

MD5 8f2ec48dc28d7fb5e125c8c1ba9a48e6
SHA1 09b235d7032e0ee935f78c8a743051495a00ae43
SHA256 32ccb0911e6e83d8eac37e0258c679c9019a58973d1a4306288f2c0b1dca2a19
SHA512 0038297584a291038d243f38f576fd2dc1a68dc4e877b99a1596294bfe3c5aa1941b4135323c0a45c8962d05d82a38b9664c87ab6081c72ef5a54ad6fc472d2a

C:\Users\Admin\AppData\Local\Temp\yMYu.exe

MD5 391a1b673ca84aa119c6a892f3f3a346
SHA1 af93814291aa642c882dddd525ea56bfe9993727
SHA256 c06c1a3b0e0536c5ebd3d01a0a0d4783b54b345359a9ad8675c34b4718b8cd34
SHA512 88ace4b0984334190aa93ce2050e707941a2ad9eada0111015f6276b9ca064a2b02ced4158da53067fdfa09dc4d35fdc1a8835358ad264278fed9834c4a66e66

C:\Users\Admin\AppData\Local\Temp\IcIQ.exe

MD5 09b30ef9cbc778e914df06593f5060bc
SHA1 60f3d333d5bc72c934ce1c8fc23d7b37e4c91d78
SHA256 87b0a759b07bfbac4cbcf9271350f1afaba0e3c572bec1b806013c80a1348d4a
SHA512 85048e4b217d48323fbb0e14d4dbd465b24f793862f213b6fe62659c2fc55aaf60fb6bad896a9862cbe048f5df361a662de386e82ea2a388a28abfd9e2bf6b0a

C:\Users\Admin\AppData\Local\Temp\UcQG.exe

MD5 8f9c919d7583acf21bfeee7ca03e0df5
SHA1 519ebe8b344fec76223d4e6b5c5d1f59cef8aa0f
SHA256 a13a9b92c16d2061636b9b7d9849210e07ff61d5e33993eec20bbe28260f8e7c
SHA512 3b869cf4aee5e0880de0c319e949b15c50242b01ced71b58c32e03ef7f61fc10e32f3836d3a29355fe5ccff5a4a38e146a37c99555db2be8eafe48572d112daa

C:\Users\Admin\AppData\Local\Temp\skMu.exe

MD5 6ff25cbdef3a9d3d8645980eef4a991e
SHA1 5483da422ad30fe35ff201d2b255f11a98ee89b5
SHA256 16d6c791b2eabefc238c7b8649f59e277bc6571900296c4c080c55ceacd17209
SHA512 58451e525fad2d64031d2a15aef2bc7c647524c56c777d82ff54dd6458b5c826e29425288a43ed527b5434a643b3ba419ebc389c3933d55ca06a480a9e62dcbe

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 be3879ca1115fc04a5bd9b1c9dbbc76a
SHA1 23e7390aad674bcfe9768da8fb3641f1fd39c4ae
SHA256 ef4d82ee87be27ff9f5b07389ac5c141c3484ac74df9b19730548965eb7e633b
SHA512 401a579d10677ebc82be8271703d56eb06c52407585331755b8220b6d1e6105d94b36ab8e07f3d4050f6cc1fe0d8c70fb3ca8000c6358b3e23c3077afb1f720b

C:\Users\Admin\AppData\Local\Temp\EoUo.exe

MD5 9f9bcffba7573938a9fdf14f9885ac93
SHA1 2e56c46f186d2fa187e4e86f5aa9bf2fe87459f3
SHA256 a730358b3ddd713fce8cff4c85083514a126b0914dc683e2b5d248b73f33faa6
SHA512 d2c61819883d8e7f53f99550049ae72cc37424fe78721aa1e376b5986b0fb6b7dc5ff7f3c768ed0ce82571eb960bf9fdff4c0f7be9620b4b6b8c30ae5065dcfb

C:\Users\Admin\AppData\Local\Temp\WQgO.exe

MD5 b6ec49f27485e8aec3acd8275580e10e
SHA1 0bb0c8c41e343bd5cf387f6998cf9a356d3413d0
SHA256 aaaa2fb51647e3667a1062cc07307561266fe0406b0cd8ab569af377182c7822
SHA512 07a4cb9c8eac4507bc3e17ca5d4112aa715fe8aa99efd04db2664877b9c2d90ca3479c60d93bdc066e64ef0adae9907952a68e93feb3e952459a775f4f71706d

C:\Users\Admin\BGswwogo\OUoYIogw.inf

MD5 30dbe54848f1b9dd349ed09229edaa52
SHA1 309acbdfd533776d88d4d6b9eb8cbbee5f6e1b45
SHA256 e7a2adf134b59ea6fb2e8c3367d478a02e82524d862b679cbf687b502047facd
SHA512 e9d93776c8736490119fbcb0c1a19fd44abcfead6173b4a6472049b7e4ee985b6278342a13b53f88e9c6d1d7beeda54d7ed91d12381155aec7e2ec4630166e66

C:\Users\Admin\BGswwogo\OUoYIogw.inf

MD5 aec36a8a341105d4f09b084528a382f3
SHA1 683202185c4e2d8d8b706bca45099457d6239526
SHA256 b128a28207030357d6f3534ca00568c9d683315166ac4d08579c9f337a325155
SHA512 55dfe17acbc4fe114d70338a146188828e183229abad02408834102d000684b11d9e2be176feaa0f34b9e464fa09946c178a637bb525a83d43daf2f6485f590b

C:\Users\Admin\BGswwogo\OUoYIogw.inf

MD5 16962404d8ac0b8810ff93666d77fc0d
SHA1 3f843513c9a18fb821567a631226a7f5fff52416
SHA256 529705d920b132086aa981ae0e4a7af62ee1f015b083a7205e441f56b51a72c0
SHA512 36f74aaba6db839794096122ec9d2cdc4271e3fa9325e30a377e64ad6bf529be0ced0d86c3064afcf6a79ba17665ada6c570b2958da4175743dd6cf6996f5c75

C:\Users\Admin\BGswwogo\OUoYIogw.inf

MD5 29fa93d6a35ce8842e9b59d7921f1abf
SHA1 7216e0823e063335f99f6efa0fad1071fc85d489
SHA256 05805d17eb6f429054e9f8ceeef513c64de9eded700daca9c14a8dd9b97e8887
SHA512 5e8ffd71646644b696eeaf67ccfeef14970bfa838fd27a8366efd8dcd809895e28622b668d4f398550e07f9dfbd7c877ef50de01949fed61dff407fbedea2390

C:\Users\Admin\BGswwogo\OUoYIogw.inf

MD5 d3f55f7c5992b21f02f5313794265d79
SHA1 952f3a0c5dbf32f9124ced524a99edcf5a7c2146
SHA256 bd46e7c6614487defbb582acb0ed2458c14c7932e5b2dda9c17707a1af8d5bfd
SHA512 342acc03d82d49ab00d8c0fc8ae9bfe45da4fe6de5ad5c726effef0eac25aa7ce996f9827847953e9ae28314c0bfbfe69dda9408faeb9ffe41647eb4f8ff5882

C:\Users\Admin\BGswwogo\OUoYIogw.inf

MD5 2a800ba50b63e640f5fa1432e24d7722
SHA1 94e55b96e2f80b684ec647d56814f8e3fadaddda
SHA256 c0a25f9e046a684f130c6558bd2734893f68795bfbb7351cce9929bcfeb2424b
SHA512 ea275ee9474f6f5b47ca9f30ed0fcdde336250c9e9375a49b505b0217632feb05d4cbd20e3327ed24faf6013949bedbf6320217b55f644248ea8f63562e7d01a

C:\ProgramData\zOQcssQk\DYMUoAEs.inf

MD5 0f818b956dfdb527a5957a26b8c96f84
SHA1 2cc857d12f433945128642e319e95a9af1806cac
SHA256 52fc79f5b31bbd5ce2cbc5b31fd5b16ba12f4d7ea5b9a6ddd37232c95b0ea986
SHA512 03c626ad4f6e0e0a6caa577c5b64bb234d55c21e0eafb762b2a2bd117ff8b495a8cee3e239d6e04cd2abd95d932d1516dfef98ac7a2f7b64a569db29ba3c9510

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-18 12:04

Reported

2025-05-18 12:06

Platform

win11-20250502-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (84) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\BmsgoMkE\amggEAoQ.exe N/A
N/A N/A C:\ProgramData\xOUkAggE\CYoUsEgE.exe N/A
N/A N/A C:\ProgramData\xOUkAggE\CYoUsEgE.exe N/A
N/A N/A C:\Users\Admin\BmsgoMkE\amggEAoQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\amggEAoQ.exe = "C:\\Users\\Admin\\BmsgoMkE\\amggEAoQ.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CYoUsEgE.exe = "C:\\ProgramData\\xOUkAggE\\CYoUsEgE.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\amggEAoQ.exe = "C:\\Users\\Admin\\BmsgoMkE\\amggEAoQ.exe" C:\Users\Admin\BmsgoMkE\amggEAoQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CYoUsEgE.exe = "C:\\ProgramData\\xOUkAggE\\CYoUsEgE.exe" C:\ProgramData\xOUkAggE\CYoUsEgE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\amggEAoQ.exe = "C:\\Users\\Admin\\BmsgoMkE\\amggEAoQ.exe" C:\Users\Admin\BmsgoMkE\amggEAoQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CYoUsEgE.exe = "C:\\ProgramData\\xOUkAggE\\CYoUsEgE.exe" C:\ProgramData\xOUkAggE\CYoUsEgE.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\BmsgoMkE\amggEAoQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\BmsgoMkE\amggEAoQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5992 wrote to memory of 5132 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Users\Admin\BmsgoMkE\amggEAoQ.exe
PID 5992 wrote to memory of 5132 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Users\Admin\BmsgoMkE\amggEAoQ.exe
PID 5992 wrote to memory of 5132 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Users\Admin\BmsgoMkE\amggEAoQ.exe
PID 5992 wrote to memory of 5388 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\ProgramData\xOUkAggE\CYoUsEgE.exe
PID 5992 wrote to memory of 5388 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\ProgramData\xOUkAggE\CYoUsEgE.exe
PID 5992 wrote to memory of 5388 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\ProgramData\xOUkAggE\CYoUsEgE.exe
PID 5992 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5992 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5992 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5992 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5992 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5992 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5992 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5992 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5992 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5992 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5992 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5992 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 1396 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 1396 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 4024 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\ProgramData\xOUkAggE\CYoUsEgE.exe
PID 4024 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\ProgramData\xOUkAggE\CYoUsEgE.exe
PID 4024 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\ProgramData\xOUkAggE\CYoUsEgE.exe
PID 1508 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\BmsgoMkE\amggEAoQ.exe
PID 1508 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\BmsgoMkE\amggEAoQ.exe
PID 1508 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\BmsgoMkE\amggEAoQ.exe
PID 1348 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1348 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1348 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4880 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 2656 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 2656 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 4880 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 5784 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 5784 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 5784 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4320 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4320 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2712 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 4640 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 4640 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 2712 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 6020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe"

C:\Users\Admin\BmsgoMkE\amggEAoQ.exe

"C:\Users\Admin\BmsgoMkE\amggEAoQ.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\BmsgoMkE\amggEAoQ.exe

C:\ProgramData\xOUkAggE\CYoUsEgE.exe

"C:\ProgramData\xOUkAggE\CYoUsEgE.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\xOUkAggE\CYoUsEgE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgooogAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\ProgramData\xOUkAggE\CYoUsEgE.exe

C:\ProgramData\xOUkAggE\CYoUsEgE.exe

C:\Users\Admin\BmsgoMkE\amggEAoQ.exe

C:\Users\Admin\BmsgoMkE\amggEAoQ.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEQQsIMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOQQgEYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cicAAUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWkoEssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgwgowso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmAgMYUg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAUwEIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YosUMcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSEsAkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYkIUUcY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKMMAgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuoIwwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lasYMwss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMsoEUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaskQAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soocscQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAgMAAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoocwsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeMYQwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoswMcco.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VisEAwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiooMUss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIYQUEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYAsYIEw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyAIYgMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqEcwwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgkAoYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMUoccoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAokEIME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMIUkoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uewowskw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fckQscks.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqIsEIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkgQwIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psYEccoc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGMEMUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IakIcEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CagkYcYo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOwYwkks.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgMoAQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOAkwUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiogoMko.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuwAkAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OokkgYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKgooIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teAoYYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSkogggg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUcYQgMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCEwYkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkAIIssI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcsoIkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyoUkEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xigQYUco.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGQsskwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGoYMwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUcogAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyEIwcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEYoMQok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uukEoIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYQQQsAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYckgwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FegAkUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYAUkEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmAAcAkw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOEwIkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqskAAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKgoUAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeQcIogg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkcQcgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGAsAowg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwgIIwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgsoosUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQgcocwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQUQkUQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uukYIAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwocMMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYsIcwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeAMogQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaEEIMMU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEoIwMok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIUUEkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqIcwgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeoQYYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAAwQAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAsscQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyEUAgME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqksocEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsAokcMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcgUgAwI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKMIIYAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\legkYsso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DucgMUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGwkIgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWAYAAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwQMwAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQIQsQsw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsYUEwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkEIoEAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loIUMcUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSkgQYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYUMEssM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwQsQMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goQMkgEc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuocEIQM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsIcgcUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUoIUIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQQgogcc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIAoMMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgQIcwMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSkEgksE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMwcQckY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQkAAsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKEsooEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsEwgcAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmIEQUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgEQkwow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyAYYEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqwkUIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEoUgMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgMgMwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEUYEYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taAAockE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viUMEsUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUIoMMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yewsIYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AagYUYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tiwcscsk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwocQIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RokcQoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOYUskoA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewEAwIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYIsUwkU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMMYAEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syUsAIEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIcIscwA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/5992-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\BmsgoMkE\amggEAoQ.exe

MD5 c8c4875f53f2199bad7a11a5ff1a6f35
SHA1 5f0b1b9a3000c5d1e416c11524a0e43fdce5e49d
SHA256 e1ed983a7c5b56add508390221b4a86d4798d347ff818aa72085b7497b3a6127
SHA512 b84144f945d3b7e7d078d9dbd3d1fce44a865f585fb9135ddd535018c1a642b09dd1c51962aa4150b7236dee047ab4faa2f201dd43c43cf131406c2710249ee6

memory/5132-5-0x0000000000400000-0x0000000000430000-memory.dmp

C:\ProgramData\xOUkAggE\CYoUsEgE.exe

MD5 e73dfc6c5a5dcec0afb0fbaa45e33206
SHA1 cf56ea6db53819f30d0dd960c9cdc45c903f83ec
SHA256 e180528e5d6ae7b0b5a04473aa5c881b8eb09779f9b0a1d39b29329fe245eeee
SHA512 ef54662d654152e1791e3b994b5e84a81fcd5be85a439bfba184d0fd92faa822a8e9005a3a96c14036806e8f4464548c993c47b25caef19cf99fb3682a5e2b58

memory/5388-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5992-19-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4880-22-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4980-24-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lgooogAk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

MD5 96b5a5aa81cddc217e02a83da419a8ea
SHA1 2f005ac25837210b71780fbf0d44b1b1da873749
SHA256 50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c
SHA512 bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\BmsgoMkE\amggEAoQ.inf

MD5 654c7261fb94f697ac39a48c3b71671b
SHA1 a760d272e7171b8512b9acb67c023c8750a53dad
SHA256 c0d7c759733bb080c2033f193fa8d0406137f2b73273bd95d7c4d2fe1badea35
SHA512 c059d4b9940ee7fb456186608a80d0c591bc752aa25ec8703d20643c05a402fe140727737af9ac2de52685cafc21ce81f90253958568fb938c57c889818eb6cb

memory/4880-38-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2712-51-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4796-62-0x0000000000400000-0x0000000000436000-memory.dmp

memory/240-77-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\BmsgoMkE\amggEAoQ.inf

MD5 992a37de5fa7f0ef2e55c0807695ad91
SHA1 a299618b7ca825aba98c2991d07aa4007db1eab9
SHA256 631b32a036511fbd418626232082c9665fd94930800b57b24c29b2ced8423e01
SHA512 cff7c9f0086fdb2f8b8589607d323331df21f10a04498756451fd1f8453f6e2c2d8515bbca974e118600be4d7ad44e977e3f0c51f5e8fa54bf00914e18daca15

memory/2300-92-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5912-93-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5912-104-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1352-119-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\xOUkAggE\CYoUsEgE.inf

MD5 95807033d5dde0880028d98d35a9a053
SHA1 44bbfc7405694d17cc2e6744b9debbd3709e4c26
SHA256 712f3eb63532211bacce62fec05e8edaaa8c0b5d6919270fd98cefb46c64e42f
SHA512 cb568b2d97e8ce27266d6d8d85803df3de1595120ecfd197d50569facda8f16bf0fff404c414e5b35eed73db6f66f2fee85ac8c2dd8bb09ab38015b2f197cf64

memory/804-134-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4656-145-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5488-146-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5488-159-0x0000000000400000-0x0000000000436000-memory.dmp

memory/992-172-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\BmsgoMkE\amggEAoQ.inf

MD5 ec6b918c578d436a2627deeb14a214f7
SHA1 679e4f05cca1287d67831a78eb12336f082f02c0
SHA256 3cab728331871d16457919c533dd6ff90cc406f10b21f51654ece37b17cecf59
SHA512 19bceffe37e2e5f8b24ce0ef16c6c6d9c6b58a61f855e7f18acc96a4e46a31ac890b66a31b0cb999c98718e28613013574c1b48ab986a419a3205834d3d85e0f

memory/1924-187-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5692-198-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4720-201-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\xOUkAggE\CYoUsEgE.inf

MD5 cd270a7640a686e6f6712f929aa7fe19
SHA1 ca5b3f6f8a943954768458bc5b5067965f59588b
SHA256 aed7608c97cfcd1a1d2a39b84eda82af52c4872e062163dcb10c7d5245221cab
SHA512 e84bed575b6ce816c2baf4b328c89fd2d87074f3c845d898244a6a8bf9405ad7716c3bd90ea12b24980ba2bfab61dfed52c5b4b46a25fddda6f1ee45040107b3

memory/4720-214-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5808-224-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5896-232-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3080-242-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3212-250-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5148-260-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1340-268-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2728-278-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2624-288-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5708-296-0x0000000000400000-0x0000000000436000-memory.dmp

memory/668-304-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5628-314-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5160-324-0x0000000000400000-0x0000000000436000-memory.dmp

memory/6088-332-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3104-342-0x0000000000400000-0x0000000000436000-memory.dmp

memory/6020-352-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2656-360-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4848-368-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5380-378-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4140-388-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2376-396-0x0000000000400000-0x0000000000436000-memory.dmp

memory/804-397-0x0000000000400000-0x0000000000436000-memory.dmp

memory/804-407-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5264-417-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4308-425-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1784-433-0x0000000000400000-0x0000000000436000-memory.dmp

memory/6020-443-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2364-453-0x0000000000400000-0x0000000000436000-memory.dmp

memory/672-461-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5380-471-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3616-481-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4460-489-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1828-497-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4852-507-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4228-517-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3432-525-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2940-535-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5648-545-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4652-553-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4040-561-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3996-571-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4460-581-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5012-589-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2388-597-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2772-607-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2492-617-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1992-625-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1740-635-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5624-645-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3392-653-0x0000000000400000-0x0000000000436000-memory.dmp

memory/716-654-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3392-662-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2200-673-0x0000000000400000-0x0000000000436000-memory.dmp

memory/668-672-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2428-683-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2200-684-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2428-692-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3268-700-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5684-710-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4416-717-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1796-721-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4416-729-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1580-737-0x0000000000400000-0x0000000000436000-memory.dmp

memory/504-747-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1204-757-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5040-765-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3424-774-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5132-781-0x0000000000400000-0x0000000000430000-memory.dmp

memory/6088-785-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5388-791-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1260-795-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4088-803-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

MD5 c68cb63a5f7c534fcd1a03e606ea43c5
SHA1 2f74681224afe76d72228f5e0df613f35f708900
SHA256 83d6ef509b8235a2d1785370a6787e5249d5721e64ead6331d106cf743dc4066
SHA512 fbd80a67c71a98348ba1dbd32875e1138f0c2dbed44a1e3dba4389917b9302c5179d8561490ac40a80f154a6cbdc39f14373301489d95b3b59ded3d96d2916bb

memory/4980-824-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2940-828-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 0db7099d09c7a91911d924a11e687132
SHA1 1df6d5c5574e2fc4da489876fbeb6a6b2cc8f656
SHA256 5144e1eb9b3b79eaf23e15b48531b81cff2eb5195b1393ccdadd419b9ef2f4d1
SHA512 1ce7afe11891917d68773e540a220091ea971b8967204b38a9457ee4d8e449fa843beaf2f4d11bef5eb7b0e873ce499d29e7541c7a37f8641efbf1fbe5ca6881

C:\Users\Admin\AppData\Local\Temp\sUAY.exe

MD5 dcdfc15e218c2b80099cd8fccb8e2d85
SHA1 86ab3a951b70c7870b75d13a08b4e9addbc65ca6
SHA256 910fde6279502184b2a9b93f7f0319731cdb34726e77b9ef631d135ce4a6341c
SHA512 7a77c5a125ba65c19882e31ae7305a95be3e94110624582d85744e9a75705bfc4ce9a288e8aab433e773cc89770028d4a0d7619d77ba9fafb9a858cb387242f0

C:\Users\Admin\AppData\Local\Temp\cYsM.exe

MD5 44fdfa0c2477bb1539f9a81c6231959a
SHA1 adcfdbec4e1bed3edbdcff87148990b1062ff8ff
SHA256 932e70e7a411e5d95e27be52711366e90d4dcc6a23a9d1cfa39cf9ff254a5264
SHA512 54d32bd4482a89114a7e5088488aa2def077ca0be7bd2f7dde4893f5d46cb162bb2f53e738cc3d420193de4f8ed51a925e3244f0a9a6a74daaf650a12db65de8

C:\Users\Admin\AppData\Local\Temp\agEI.ico

MD5 9af98ac11e0ef05c4c1b9f50e0764888
SHA1 0b15f3f188a4d2e6daec528802f291805fad3f58
SHA256 c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA512 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

C:\Users\Admin\AppData\Local\Temp\YQco.exe

MD5 4b3adf1138986619c7d17b1b0c77ceab
SHA1 04387887dcfb7b8bb46ebe4adf68fe16927918a7
SHA256 e0f2573b9bc7d0f84615cab555f1f033053c85f7f67686c02ec58c9be91dfac4
SHA512 c1390dc1e710669f8b7a1197c329ca1222aeb605b46efd910e8a28b2dd29ae9c271e303bef2e9e87d3882bcdb53958aeee5be3a7eef2d21e6d4c686841080077

C:\Users\Admin\AppData\Local\Temp\mQMo.exe

MD5 db6104ac6da9e853c9a3a961dfe531b1
SHA1 1e827c7fbf3aaa7ec9ea8f59c181f5163dff1cb8
SHA256 2e375c102c5007cba3271514411361318530cfb519c21bd35838e35d68ddb154
SHA512 273e7db33c91d4e52adf3ce32afa0bcdefd525c3ba3b4722e37433ea2c28381a7ba038c988b7ea2003cb862d6d991400b476adab143375fe8bfd3f88c04bf836

C:\Users\Admin\AppData\Local\Temp\csEy.exe

MD5 eec88d1f9adb2f37865c28daf6f8205c
SHA1 f6ef54a0ba63bdf320dc56fd68aa874508520507
SHA256 deccdc5dd1dcfdef903b993fdfc0cbb2f5f6617c5dd6e6af8a5756c23222c127
SHA512 d65f1b6b1c5a42e33c23dddf59cbd763bcac7d330a5bfab35ea34f207640b948bf76b659d9cb5533ac68bd5dbb305e2715883ac33bb2d911cc1b34022ece4b17

C:\Users\Admin\AppData\Local\Temp\QAEy.exe

MD5 9cb60ab9b4933b119ee6459b28de9185
SHA1 a181770ce3479a506e2bf9e5acfeb74e48993c9e
SHA256 62a7fc9481229f87a68cd04687ba12ae499d46ce5a38ea714e1449375717fc45
SHA512 3ef5f53bde092db777b401c51512d6116e888c23655ec3dec5cc9ef60479ad4a8aaeeb75eda798e38d48bbf90d739be3e3a37dbf55e6f3eeb97ce45f1cba92c5

C:\Users\Admin\AppData\Local\Temp\sYsI.exe

MD5 b35f9c82c0cf6afc43290772c44ca3ba
SHA1 567112a84977b048d65bde501ef6301ca5e0f68f
SHA256 d82c8cf2b75a25027eca85f8a00724d12bf531c1eace9c5693541118ad427d7b
SHA512 5dacf9c706cb653ea4b5508b6ee396f3109a4c2d588adb2fec1e839aba922aa4d1eef96b4a067bdfeb3c8c9545449893a2ce73ef65aee1e520df5e179576210f

C:\Users\Admin\AppData\Local\Temp\wEgG.exe

MD5 5fcca7b0b6141bcc6cc985eea6d1db62
SHA1 0f6cff790f22affcaada79bb1a9613a677a6de9a
SHA256 bb99b660daa3deda833f4406eb6ec90c7957bcb0b6cdf5b3c26f9197a6ab7857
SHA512 091a010fe2639a4a575f9f6a54e0f8a7492ecd46a6642cdd4289a18b1d57cd7c0998012cd1d60f1bd89921e3a506cca9013b1005c3f0cd3c664e8dfd2f9f2ea5

C:\Users\Admin\AppData\Local\Temp\Iggq.exe

MD5 79cef09e67bdd994f4644bde45ad565b
SHA1 0429fbfdbe81295706a87636e5176262c799adc5
SHA256 3340d1da46b6368ed3409bb5a71f58bba4af819546c95c1df38dd69231596107
SHA512 436700267bd7eb3a854671aaca1201b88424680ecbec01db8010a5303b01287c354605053754c330f108f2388271810ea15295d4a98b650dbcb5a634315f2fd4

C:\Users\Admin\AppData\Local\Temp\mkwG.exe

MD5 231f4fe0afcf71d989275f866706f2fb
SHA1 2be2cc2a7dbfdd98b09027ebc2b2b0101550eaa2
SHA256 9c39719f26b65e12daf9d3d53ce1ce78ceba4f3911d2cfd53cfe027fa58105f9
SHA512 71f1627e65efab10982f7dbe2d7a3e06afccba41c11eb3500cc8cf7a2e671bbdb96da5992a44fff1a8cf936938ed6954cf7a74455fe88b92a5dba80b940f7d71

C:\Users\Admin\AppData\Local\Temp\cwoy.exe

MD5 7cace563d964ef73fb74796f07a050d6
SHA1 4567acd5df3d80dc5cdff50075fc7023d9ce9980
SHA256 8327614a19d7afd318dd8e92283e757748e6042ad6e357d39d0f4431fdfc8ea1
SHA512 c495b79fd7d6a1bc22251f703adb0d0143c2f42f5cfe7c730164c5ebcd475274a6d6b4bcd9cc139bd4eee69625b9ee171b8c02da8582a07e66e649b91e6261d2

C:\Users\Admin\AppData\Local\Temp\gkwk.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\KcQw.exe

MD5 8a36a588df94b0a9ed8af56598058fbd
SHA1 b4576b398a615dbd25b9ab353f2d4fff44b57ffc
SHA256 2061cea1e39b3427d74690f81c2bca3fb3e471503fda548be7c7a5e2b9d375f5
SHA512 6df82555c5abe66b74428883e042b6bd9db16a1d2e185dd4113b5ed531cc7c9291827545bff263ee5ce2da8dedced877f6e11e0380171c90960c89fcb6c03218

C:\Users\Admin\AppData\Local\Temp\EgQI.exe

MD5 044e6bf5ba9427e1a61e5c2b86fac49d
SHA1 28ab64da3ba3fa9a32b83bf6195a255a43c9886c
SHA256 5b68d8672471db6b21df5f390fdceae5a6f1417f8ca3502266f589804b607d04
SHA512 89832062f6a9f0dd0fb7dc196caea82d38300b35d5ef9fbec020060342ec6ca059e2ed759d92cef6e6a235f5cce96d50fb643ec24e8757a4810d2eb980d8a3c2

C:\Users\Admin\AppData\Local\Temp\oowK.exe

MD5 cc82ac7dd91cd4a37fd98d6803642ae4
SHA1 b1d4d313195135d2c412b34d92af90804bc831e5
SHA256 293d74d0fb0517f82351491e094c4a16ba501b8648cd0e9c76ec142b75cab84b
SHA512 757bb42475f6a0656c58e1fd59b01a0a0c0570e494c81b716e3e32f6890383b69342e00e47e547f6820dd6260f02afd9a1639077cd3be2066e328b6aced5569e

C:\Users\Admin\AppData\Local\Temp\uocQ.exe

MD5 02a0920da1b889c30bb988859b37db90
SHA1 21b3884fb2cd8d857be9ec76c3fddc02b6554287
SHA256 d712fa53f2b4c1fc0e49dcfd5a4bdb337cd30b1cf8645856883c68f464d18871
SHA512 bf20c74318d308479368b899e630a416cca7bacbf46d8eb05e4e0e6cc89e28a422acb5ec6b573bf0882d8fda744ef90f126ebed3ca58c36e75822b0630241057

C:\Users\Admin\AppData\Local\Temp\oMEM.exe

MD5 f39c6ffb33ddb0d7a26da1d16c9bc823
SHA1 6c3aaf15d644a3aeeae41d4ebb73d9a24e0bdc9e
SHA256 7ec48c4fe081ec2d9b19d7d161c215dd655dd1f4353a093c59f1edbc3832514e
SHA512 2b9b0abc580818af2d618e3247364215fc828b8de3dfca2d0a3023fc94ebec30cc22a0455089f0d18d8982894f043af228c0d262efc00fb77e582e94eca6c970

C:\Users\Admin\AppData\Local\Temp\gkEq.exe

MD5 385dd0b321d4cad20723e1043e12cc82
SHA1 c484c22dc06546ad440865c9cb48525aba5199fe
SHA256 f2f1bd709144a52fd14d74b0147db36794677b8ccd5e229a3f451d607f48b24c
SHA512 4e2416485883e38e20abd4592fcd1153a0c02aeac91eecacce18411516e3bebc2227b42b9ca1f75ce192da71941aef1e224631b62c0ac29a1f6d4e259b0f6594

C:\Users\Admin\AppData\Local\Temp\uUAs.exe

MD5 195174b03509b393262a2d2d8af310ba
SHA1 f8399023b049eadbdbfcc6bd2f52e86a22060d76
SHA256 82d43126801244162cabce174ef47d16abebb39384680812dc09157126132831
SHA512 c970a11458530c7d46b88ad5b8dd7e6e7475cd38b3c6d30dbfbc3188e303c7459ca909ba221acd4e2d20e74e1ab9d95d9088044a10f269c9200f5ca173baad60

C:\Users\Admin\AppData\Local\Temp\EMcm.exe

MD5 aa0600b0825522d40efd39a1870b2b0e
SHA1 2886bb6956e43d0893bebe327df23ff8c6080dbc
SHA256 9eab4fed66aa3b84a4744d7642bd5adbefe16580dfcaa14ca027c1741905e67a
SHA512 53c2d49b3b90457ff8b9c1a789b38745ae8cf9d28050e810f51df8a3e85108c21e407497c1aad6e250013364afcf259755c7f41e4843a784c9b1922d410a7961

C:\Users\Admin\AppData\Local\Temp\MEcM.exe

MD5 2d5a50db5d99dfe6fbd9a936bae88f5b
SHA1 337ac56c34ec41cfc8be5eb9372bc8ab2388f67e
SHA256 547c9554f66c6747740bb50eb367dd4088c8cbd3244746a39c20d0718eb6cd70
SHA512 1b53cc5e4124c0ac9185f365a9a42bfa218ea1572b9a1f580cbed705e3112c6df26542f94d2cf873dc9d430ff15b44b20b61db1471a9166ee93eb898950e336c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe

MD5 8e7ee8fb3324c432da1bef1a8c0ef707
SHA1 063ed005bd69f58182ed28336ad4fbfdbaa0962f
SHA256 87b57ffdb37c374da7b21d0c061061c8c60c72db5bba015dbfa74129f7827b04
SHA512 16f728f4eca40285c7761cb7cafe4416943590aa7a8ffc16a9ad22e88d2680739d1bf392cb80188534b0682688db900cb10ec2f7fb9a533e90e522ac16a1ac72

C:\Users\Admin\AppData\Local\Temp\kEso.exe

MD5 d26e62a5024f21f295ad9f99d76ae560
SHA1 15874ebacc155bc9db9f8ef37749bb711134549b
SHA256 4f23bfeabfde861f58c604c4307bbd2b056bc99dd02c71ad2d8b6f1ed239076e
SHA512 5ce67a641f3f9b14d7cbcc09a7d78656d4dfb7459cbda83994dd2d9b7c3889cfcfa803851cbab99650e15c50e68338ef366974672a28b4b3aab319ccbfee772c

C:\Users\Admin\AppData\Local\Temp\IAMg.exe

MD5 be4876c48c469cf1d894ed2c5baa984a
SHA1 ac07909dfa043345625be44ee2f64b69b761f91b
SHA256 655b9d9662260f11a449ff44d07178a427b0a4916564eecd72794ba25461a087
SHA512 9b0658bbbe1edb155abc8d694d145b87823e95a4816eba15b75f0fd5120704eca8c0299d9f232c6d5a387ca3526f85c76f740218cd80d3bec8424c2fa71c9a5f

C:\Users\Admin\AppData\Local\Temp\KkUK.exe

MD5 2382e0b4ffeb1ef6badb7b477a4396d0
SHA1 59c0ceff281f6496a2831dbcff7d1794ce9def91
SHA256 440f8adff324a6ffcb295342ba4cfe67425fc19658d34e2a436aaba28637d5b8
SHA512 c3673596c7a615ab913ca47570411adf8838b5898789da3c601d5b735d2617294f81313f0b122dab648e10c07a07dd340b566929cfe7b99af2a831ec258f7a1a

C:\Users\Admin\AppData\Local\Temp\IQUC.exe

MD5 846960f9ecfacbd44c1e01e1a8c19993
SHA1 f3c2219f95bc1ed367414da42006c151c458fc65
SHA256 0e44ab197990516fa91980f1d2e95ac3263a4949fd18037a2a67065a8e1221f2
SHA512 af8771e92d5c19614e8ac708efc4f74b4a39b789a31f3a41a3a1e9b909c1194ebc2ed7dd929a546ca134d7353ce23bb773ef62b140034e9a98bd14e2184e0054

C:\Users\Admin\AppData\Local\Temp\ecMc.exe

MD5 d07d0b58670b5f6c779220636faaba38
SHA1 dec3c10be24d30f6806b711ad95737291674b286
SHA256 2f9731388a744eaa5636befbb9810f112d6bcb34b97f624c950ef9c560137acc
SHA512 5537074eaf68f66af9d47367cc0dca232775ec3c14b9fd3caba027e7f1f92ce01a55c8ea1fe07535e999812f1a68b32e2d3e3c08860ff177b5df9889ac6ca622

C:\Users\Admin\AppData\Local\Temp\Woog.exe

MD5 ae73c9481e96b06efbccf7cf7fe97f29
SHA1 6c84d7269be85d18c68d35be8b0f4bdfa0e338b7
SHA256 e7666591a5f6abc76f5abdbb22efe230cfa6264d0a742114128f726d80e2eb1d
SHA512 e5e59613d1ecdec7a17a01cdb03dc49ba002cd047ddeb2ff7bbd2b78bbf92f17d72b11e7f843639670201d9ce4ce2f56cf35e86bae7a6c70a422b92463ba463f

C:\Users\Admin\AppData\Local\Temp\uIAg.exe

MD5 12cd64015c4ebdc3383abeca291d5d52
SHA1 180b63f0c72ce7d5aff8d72b768dcb4dcf1a869f
SHA256 a8898df9989f60b71c2427d1f5b03f9275a0ba0f8ebc07cebf9c2c4cedf37f91
SHA512 fa24a812921b4ad4656ef02c5322c55a36a6cd7616d8ad1abf18686501e70da710d8a022ce79f2fc3cb6c365880c780cd80c1e84654bb6522d0d957407636620

C:\Users\Admin\AppData\Local\Temp\ugYM.exe

MD5 fddfd25ac78eaed9461a9f73b72da90f
SHA1 4b66076f03e2267abc5271ae13198dad8f87db05
SHA256 69ecd4f2d65d9a7e8433ad4c93eedb8f61bcb849af6b3f59df5c2984ae2e65a7
SHA512 114b763f595b66da721183045d63bde7547d4f335719cad6aaab717cb32cc297a10e67154d16fe47cde2727f79528603f2a3b5495f72898232aca39bac27511f

C:\Users\Admin\AppData\Local\Temp\WMQO.exe

MD5 d770f4d43af996c92a4d8a9d0f21677e
SHA1 7df546d370e3ad854f0f1ae7bec0e5cb9000c715
SHA256 644a31cbe917fbc289515aa590b9f4f00a0e9a94f5a63fcd49a4d314923aa414
SHA512 d9ecf3d34c0c55fb7ac082086b81e1a93abdf8616cfc8ae9d34c5cad52ba1b9fb7c60724b80a0a1a8fe1d84d2b578c52ef30a842fdfd5a308e6686b909feea74

C:\Users\Admin\AppData\Local\Temp\sAoe.exe

MD5 8a9bdccef1f1e944d9ddda9793699eaf
SHA1 a77027ced98594fe7cc041cd9ea8a675545dbfd2
SHA256 011b8dd8b78d7239be2220a6c3e0116dc44e6185921f89c6948d63ecf8fb97d7
SHA512 0ac7a4ab05280f96c486fd6f26a91db28bb3b3d16695b94d7fba8541431ab50588ec78fddfdb65de849f0917f290333bca36df8ce32ec8f0d2bb1c07e5f26e29

C:\Users\Admin\AppData\Local\Temp\cYkI.exe

MD5 97e0859f104c30abe3013a720224afb2
SHA1 79115a446e9556d9f008396a3947e1ff0b143b03
SHA256 f75ac8a4c45b67aabcbf27b3647deff6460047d439e4d76ddb8948bb0d18954b
SHA512 0cbc27f09dcd7f93bb9aef99d39de0644c391b28a83c2021240423660439ab10f9aab39a724aa518709219d7faa6657084c66594fc18505ddff2341f6a1e7f4b

C:\Users\Admin\AppData\Local\Temp\EAEI.exe

MD5 a269d551b1294064a2f6a2d528f0ca9a
SHA1 22f205e4b25d665e9a8ac150b8b47024f749176a
SHA256 4861bf5ff914187df6ea1af6f47fd5a3b85095e1ef96dc0b231e7a130f3d39a0
SHA512 58756bc8c93bc3309b7cc20f4f0113436376650a38cfd32079eadf335bcc272db167dece1cf963fcfe2ca150bebc7ae9eeae85e60486b8934c687dc2a519faf4

C:\Users\Admin\AppData\Local\Temp\eIYa.exe

MD5 3fce29821bbf82b0ec0482de094e681b
SHA1 4fec6ed58d6249797277e61248eed2825bbba954
SHA256 2e2b6950fa12da246e28fef64fb519911539e84b4b099c8052da5445289ed207
SHA512 405fd6c7042bf3bdbcc22fd3b01c187bc38d3d29c611c9999992919b4c8d46201e1a5ad0742b251f2b033a00b86f6141d5337f7f9e37591c9633bfe87d76a7ba

C:\Users\Admin\AppData\Local\Temp\kokg.exe

MD5 c07a85f606302a63e2b9c3d28a9ee3e9
SHA1 50b6aa82eba16cf9790cf8e732dfd539799e7cdd
SHA256 25e4c6ff88dfd032defd2b775d18586ed586fc309c74dd3c2ac60f658d740007
SHA512 019efc717995422105ebb459d8f1d3ec1bc15a93ec4479a80e0a57d8bc836b663a5dfbf857e6decee5474a0322de089d0f128d1d1cb08e81ff71287962ba8e78

C:\Users\Admin\AppData\Local\Temp\wAQI.exe

MD5 46355e810364769057da178334bf4079
SHA1 f1cd217d713fbac40b66e9f91e976fc3f5461eed
SHA256 479f61d068eb92c848dbeae9ed6b117aabf1705768b938852fd53fee3ed0492f
SHA512 97b9b5f851280f241ffec7cd33249cf8ae3043731199b3bf574e3b599eab5a2a0e26b4ddd7212ddb0973956b35b8f7bbb0c8ac5de0166b9f1558914b5a37b1cb

C:\Users\Admin\AppData\Local\Temp\EIcs.exe

MD5 f092023727fea1670b8f5ef65e7e42b4
SHA1 5a1f22ab3311e6784cb57a305d81bb100dce8a7a
SHA256 fdbde500af30e1d185402a77b0fe23bec8f4fa66a7d2e25c7b4414544205993c
SHA512 b38fe963cbc12495271ae41891bfa70ec2cc901501e234ad96afddc28d6873f0c663d927efcd1b787475d86fee9deac18b4f35f3a44a6ebd2877053de8a09176

C:\Users\Admin\AppData\Local\Temp\Qskm.exe

MD5 d13a182f6c068d0d76e390b1b96a3ddb
SHA1 5b6b625db71041b3c3572e1f6d96e18ee3beae1b
SHA256 88b16ee840b92d8fccccbc2621f34af1de36488fc72b3348375df09a6acda3de
SHA512 eda332315f014d876757f73a6bbc1dd1bba94d33d66c07c082b757f237579d5460aa48f88c60be07348b315f42e9e2560dd59df531b1ab9f654f7f8141f66396

C:\Users\Admin\AppData\Local\Temp\Okky.exe

MD5 4c4620af782ef5d9653f74e22dad1980
SHA1 f33d1122ac3d55640647e357df87101f812e5cec
SHA256 2c3b6cdd8b0904fb577eeb7938bf656fefbe01869757f28fba745a2aab4a0b32
SHA512 940ccf82428ec2e5492781a5c016101e740485a4cdb659fdfc78952c5eec7be28da3dee519ca2a48e63388a5c5538931d3f436ab747bdf05a7a37d995b585bcf

C:\Users\Admin\AppData\Local\Temp\iooA.exe

MD5 ec3bf599428eb75b5d6010f65425a153
SHA1 1cc063cd6ce300027f90b07b0b43fc1af3858d99
SHA256 7922335b13d39029fde2dea4d72ba239146c71a649c306ff7aa2b16a67483d81
SHA512 833b7c46f6291b3411bb2e4a2d24b13b1a6fa719a3160f552f1e4a9ddcfd8677e0ad9bb68235da9f59b9963ee6dc965ee60a0fa06c373123390e6204b00f1e13

C:\Users\Admin\AppData\Local\Temp\uwgw.exe

MD5 356de95ae68cac7b737b6e3b3a7197a1
SHA1 b4409072a70f149d0e0a2e7ff7a7e45af26bb479
SHA256 50587eaa3c79f40b2ec105e809e6db708161cc43d80280d8bc3b15fec4e0c8ac
SHA512 c902748a58c7db54eb99c2f333df3cbe90ba78c923c470a86a76ccc1b2283ba3ed3e84d456056e2d65dfaf7704858088421553fd7965671fa56a7030a248d4fb

C:\Users\Admin\AppData\Local\Temp\kQgQ.exe

MD5 f84febf2de8f22ee361601a1783ff95b
SHA1 2ea2407625b1b5e6e2ca23683c1cf11b6605590a
SHA256 781575feaa21d6906e3ad09d13fcc936fb47d40d1513216c7a65ef9e0916c1f0
SHA512 3726f548faaf059d603511bc4cf114f46c95f3770ac045034e7b4fc4a87ec52683542157a2e0a29034726530620d03dad9362c7371a03cc88c795d1e9d0b738a

C:\Users\Admin\AppData\Local\Temp\yIgK.exe

MD5 05318cf984e1bf969175de1f48277706
SHA1 1ec5b28558989832b24a445ab875113f7303d3bb
SHA256 3b184eece3f2135819df21ec9390d53fd2ed571c491a365c056ae76016b1d4d2
SHA512 460b1984453951455e1fb6f8f63b708e92933ab8e871657ea7809e227cef6936707f609acce0a13685215711132c44ff799ab44960fee757bb1f87ecac6b9392

C:\Users\Admin\AppData\Local\Temp\gEkC.exe

MD5 6bb4f5b629cf4d3e8cbe703aea1404ee
SHA1 5cd589aa26b9782091c57c4a12a75db77c70f238
SHA256 7fe4349e6ab8230c138a82818402f5c0ea97b9f18b9db05f879f4d81023f9f5e
SHA512 8b13d8bc92a372dec768d3412893106f36b4e48d2c0ac548cbfa0fc1089e2a5709001faa261ebab19993f735de428a31d7e084248542445a56b1fdeaabe452ff

C:\Users\Admin\AppData\Local\Temp\Mkoc.exe

MD5 3949be0d45fecffbc5bedbb2d9e22e94
SHA1 8f37361c023cf86cab2886618a58e8780b1d7b2a
SHA256 e006b196ac25cb04cebb4f32ad9d3946dc5f7044d31ae343e1128decf79c7bfe
SHA512 804635a9921fd6e1e3bf01c6a26efef620c3f33d11f3468026973e0b305ae95f5ed6b4704816162d549925dfd559e1899288b23ed05390dc693ae560b44c9eb9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 1f4e7a687b85711711dac39fd28865e9
SHA1 6a603d4c7c1ed5993b1d309731611bc77a3fbdcd
SHA256 e30211c45ba854c9b146f7dc6cd65f3628c634400192bb03b921ee3d6440d03f
SHA512 83eab4e58483db9e3fcd3c36de17367a195181608bb6feb9554dd84f89f3b4034c35a7d595ecb256f39c01d9b3279018cbac29eaf1f0464da0b1510ffe8df95b

C:\Users\Admin\AppData\Local\Temp\ooIY.exe

MD5 ffbdd2bdbea6b64af337b74820c14aa0
SHA1 028f905af3aefdab9e3857d92acf46bfb5ea1360
SHA256 8d53b82e05f6caa426ae5917883a2d8eff5abc01122728299f08135c3ffae0bb
SHA512 ab379d79d5df0bb2ee6d85d92c95a1b5ba7fc3c0b5e19294bb4224ed73db2fd44640f87d8e7e4ddea50c10a8a87fda80ec68f432d2dce14e1c3b0af2341cee43

C:\Users\Admin\AppData\Local\Temp\ugkc.exe

MD5 59973ee1f67b2efe00095eb0ac8795b4
SHA1 02badd4d976287b3cb3e7a2c2bc845ad3306bc70
SHA256 b5446e872553d48c5aed13ea5fa5d6065161b968b888c03904fe2177bcfec3cd
SHA512 9143d31ff15264df1af1da08d5b1aa6575168c97918e73d8768ae16a9000dd3132c1ca8e132abb7fa1a97e118bd2a278610383cd7d62a898e272a7e4921e3829

C:\Users\Admin\AppData\Local\Temp\kIEG.exe

MD5 c9d987d8f793e09e0987fa6424c48aeb
SHA1 4d798394dc6540ae1c1d629c58e40054dca83062
SHA256 1986e58248977cef42c248ed0c21203b42beee760bcda54c34c6fef30b6bcba8
SHA512 35a724ab69b5cdfbed511d29c2fbff50a927559c8fac6dbd00ec3e7a8f9588f6bebce973f6ca56b44d8fd41992ca7e6541fe530a304fbf801532107abd716646

C:\Users\Admin\AppData\Local\Temp\IkoG.exe

MD5 161f0ff7061d83a402f232b919268dc3
SHA1 64be699e3667fd0ccb4dd290e1e122218a0a861c
SHA256 59c03bad1cc15fc7e297270c43712751d9b2b1b61d8d84282f8d2be46378088d
SHA512 9f359da63cec5e0e90f132c513f02ce3aff76276edf4f09ca59e6e22dbf47b913bdee8fb35071e5710a80aff6ce56398b761deb23d59e26e0bbd4120e2776858

C:\Users\Admin\AppData\Local\Temp\MQYG.exe

MD5 437309cb060771b0d4debe27d71bacf4
SHA1 1148927091b4a3e40726fc3c637ebaad81a9c559
SHA256 3658cd5d25c1000494259bcc87d0f084ee4eeb73b0e76a4a369bb9c51e0ab6e7
SHA512 71e5862605fe459c4ed2298376b03917005197555cb60e4c0b67e90e83ed92b7389f3764282344ed6d3cb3cf05c36f00b2d2bcc875368668449f68c3b058bb5f

C:\Users\Admin\AppData\Local\Temp\IMwQ.exe

MD5 bcacd3b3d17577bd85e84a01bad36530
SHA1 4451da5dabee2f7a89d51dcc4381908464808350
SHA256 0949ed82b32d60f72ffc38a053bbc5c0eea87ab34070494764e18b446ee5cb3d
SHA512 9053288f26147a4b2f15cd4a00309ba5dd56f9f14aa69089ab00ec78573aec65bd938c76ad7890bb1197e12f0f7a56cfb00cb835bf9df3d1dd003eefe4c98374

C:\Users\Admin\AppData\Local\Temp\CUcA.exe

MD5 13cc4cb8351de9c509db7aba161665cf
SHA1 6a78601ff61442cdc154b6983eb0d6c9f0e6c2b3
SHA256 3cdeb078e1ca9f284a6553fb9160f472862081fa55b8118d59a81003ef14992e
SHA512 351cbc4c79798b891793ebd69cc30645894edb21538bdeb717743402c500c0f13dd3fbea420bd8543a88499a5866f38d64332368be14530ec9a6f399e19ac5a5

C:\Users\Admin\AppData\Local\Temp\MQYa.exe

MD5 a0646b47991a698a258458419ef729eb
SHA1 a3a3f18dd215961a5cbde44a0afafae7acea2580
SHA256 7cea71e23158813ad751fbe23ab55293a6b880a42916d073c38d4caa4fa4c85b
SHA512 344eb5685ed008738e073fc2db328916377d7042380033fdb85fc228e716152e036466f0c0e5bc0f0bee3e5c58be98fc8bd7c395b83cb83af27d5a862445df77

C:\Users\Admin\AppData\Local\Temp\qwgE.exe

MD5 0187542052c307c4e16978872345c86a
SHA1 bf1faeea0fc15cc0b0f450a45efa433973d64977
SHA256 0b378cd81e77ed21c6091849a58f480ee74a736561029ba6b1cf851c419126e4
SHA512 844f827f67885f8b483d1a52786c77bb40f6df73b864838cda258d9fc98bf62afcc540e3105b68fb970b729db2ce79e69fecf82eac83d6e7a06d2b9920d91219

C:\Users\Admin\AppData\Local\Temp\MUUY.exe

MD5 47d21d9689a1b01040eb199a4175f006
SHA1 438264b38428b53f96379c3e5b6021e891457e9a
SHA256 994d7e3443b53c16d5bd3b86c987cdb442aae06c5c07e93168033438aca2e6eb
SHA512 46cdd1068de9c7685222cb15974ab62da073ab419cd2d040f53bf417f626c668fdc7e8b401c002ec7048c4d4daa079e042d5c1d42814a082148c8e73f2b46e91

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 f6367e448426ac5acf8996ae1ca4d15f
SHA1 800adc618aa4760255aa6b26e184839fb4a26c6e
SHA256 1880f2c7f84d646f3fe51691d7846118b558d94dede31d38eb91234631856fdd
SHA512 db1d40b22c85b120daba76f07d79fb5dc556931386b4c6354d07013128350ccbd8e8704dee084f743fc0f46c39a4b8aac04fe5217c6ce3a3b323f0f5a96e0b1a

C:\Users\Admin\AppData\Local\Temp\WcIq.exe

MD5 2aac6826b12497ad8b8fe964d4a53142
SHA1 e74cc2c1448417de96d6409d38d8b09cd87ffb14
SHA256 5048fd513857d9e0f586e5ad471b57f07a0bbc600751b97262d7c4b5a5b052dc
SHA512 fb4a9d197659fd245bcaf352581b08283527cc21ad4b937fbbcf11b8fead258808be9e979e92e04ea8d2e0e3a8e36668c68d8ce4ced4a4eb7375923ec6052d10

C:\Users\Admin\AppData\Local\Temp\qcka.exe

MD5 bd9b3dc903ce857ebc95cccd9f95cedd
SHA1 7c7a30c36045c2a04e3006d3ab373ced85942ad4
SHA256 a99e5ddd011112ac009182a7589fc8eddfe4d7f26b4d51446446db719a2b4c4c
SHA512 89e58d7bfb2da5d2c15c80be7439d9465e169f333a451b44443ba6577b19a34e9915e6cf13d79d48654fc48058605bb7bfd36fc42dbb052858945ec0e317f6bb

C:\Users\Admin\AppData\Local\Temp\iwoQ.exe

MD5 22fe66b3308b01af18e8cb7a9da3d55f
SHA1 49766689a574a287f302ebef67bf4079c3fbf99b
SHA256 1add2c79c8563b3bd58d957730742afad04d9ab36d31ced05cf71f897e61d009
SHA512 c1ce00e166283a1d8eb615433cfda498a6275ca2e950a4aa7833dad85ddf5a4c51119da7f22862199e812a64d0dbf3e6f51a75174a06ff3cfb6537327feb2ae7

C:\Users\Admin\AppData\Local\Temp\aQQa.exe

MD5 da57dc1eaf7411626de38f0f7ea444d2
SHA1 361f387445475200c93c0166975b3f88d61f4d43
SHA256 df4ca526813719f13df5d69c6321f3322c6f604e3e42748525be1b524143c36c
SHA512 7590e969011e36da5621d516f343d2d853c3518af2c571cdb8910a14288ef55e2ab34ddcfe483408fcdd51bf54d818125093ecdba9bf939e01fb65e85bad0928

C:\Users\Admin\AppData\Local\Temp\iYgK.exe

MD5 307439f1e79211e4743414201857d7d5
SHA1 14c6c8898fc55d99abac835ba2d351b2f4d31ed1
SHA256 343820f8db31045bc322607ba8726dcecf12fcc186fc2830ec89eee467fc3231
SHA512 2fa39dd11dce177fab67385ae3179c505d4e0e982144203289e4f5e14081f6db50cefc7e7cae92caffcce0718db93334900d9d0a3ed0be06e7a3c19bcb7894d8

C:\Users\Admin\AppData\Local\Temp\GwYe.exe

MD5 e3d1523261ace415b6135d260af225ae
SHA1 ed0233a7ff831047584109d99d3c83fab7d6430c
SHA256 a208dc6884a2a5e07721fcb708ea5d2bccd636c54aee48d1ff2cf88c68aa8600
SHA512 1010ddc56e45347378a14129dbfaf68409e77bc24d789ea5579cb2ee85ee06a4c97bfc6dd82f5a0a1ce99fec39ce09b7d73cef27d4771fa502da05df1da46180

C:\Users\Admin\AppData\Local\Temp\KoEM.exe

MD5 a5eb4fe0fce9842247e06e3eb11d9c11
SHA1 d39a60ed8b2f9c78e2b022c54fa880ffd482670e
SHA256 42669fd150e7d3bea391447f7e3d588ee50e5345fc4388549ed08d2a54ebb358
SHA512 22c383a575171c4da551ce52738c98d2490e46b5df86e235f27d1f09a59243b7c0c14cfba9847c34fe583e49c720693a69ba444c10aaf4a2273d51bbef5a150e

C:\Users\Admin\AppData\Local\Temp\ckIe.exe

MD5 f1093f60ebfb316a31e3b3a3342740c0
SHA1 58c9928b909c17c5252c311b560afddc0c6c38af
SHA256 e9dc02aa4c77bec4156eef3bd00870b5ce78907ad62af5523d075955778591da
SHA512 bd83ab0fab992f03a836ccb2ffa0f679c2e35744aad51c0d68640857999ff236d72e9456e8c89aa48a5149cbd0c26ee6d5d6506433aaa599d911db379b5847cf

C:\Users\Admin\AppData\Local\Temp\wYgy.exe

MD5 5820166f5d40cc1f7720f6a239a8f211
SHA1 9986e11057d57fcafc043749b7ebe339800c7d77
SHA256 c52ca439f9b374ce4fe454ba37961f8ce25a9d99b804c6c0a7341a4bcfda02e4
SHA512 29237d18f37399a218070b1b87bd7ef4f5625196dbfafe02b17dd685b353110cf46e855ae2e5c5fa61bec44b50d1649222c4288ddda5088177b055c2a3e6b061

C:\Users\Admin\AppData\Local\Temp\Cggg.exe

MD5 3e3cd95a63da179519dcf7ec50318ebc
SHA1 23898a328c5a6d7065805a24767153909d84870c
SHA256 1fab0ee0a4a32bd4268d4b58fee55e5dfbf2945ada63bf90c8821f8413fae9d7
SHA512 8a4f38a4cc4ba50ae52a412a8c4da7da748f74e193d64f552f485598df6fde26e1d1103deada2ee968023fd93e801d908cefca332b86c5e43e99f0796fff5d02

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 3dd982e56b41e66f0fcb34e3a738b717
SHA1 25ee257e7de058a8b39b24e604d50cf8069bcdc6
SHA256 b261aa7511cc438c249ffd1ff5798338cab4b29bcf6efe5261b399496f06952d
SHA512 dac66c88e9c5e506ba831674aab44b73429a14588d0b1f016b063680de0bd55ba076eeeca1176e69a68de4466668b3f41edfd434583489346118b3e8ec4f78ee

C:\Users\Admin\AppData\Local\Temp\EYcQ.exe

MD5 16ea45904036d68a726937b42c46a0c3
SHA1 be81de280ecfdb726731027ef669c20c943263b9
SHA256 687404dd1fc708345eeea543d188f9bd7d550f638970decca3dcd5a167d94f3e
SHA512 66410e0d00656230538da04f8ff54157b6863f2ea69fbed7454f074e8fa90dd09c17d21d854b56a4acf5bbc8ce63a1d3314a7f8f571d64658ee5bc3b221c1663

C:\Users\Admin\AppData\Local\Temp\MooS.exe

MD5 8be0e4f26fd2488876a86f1e98892c07
SHA1 3c99a7a3e33a5fbb1cf847194c189b2fdb0313b4
SHA256 0eead9fd9e78646832b8e4191a261bcf0bff255d72e615147ede6645f6d1c080
SHA512 71f2db8d6a504855b3d4842750c6c3ff3041ad81b76fb451e6469415aadaf5c6d398ab7e4f5627407413a8fd3f5310b9e64c0e99055b65b944dd7d0563c2b80e

C:\Users\Admin\AppData\Local\Temp\Qsgg.exe

MD5 4a8947fa37f6a6ce43baca0a895acab8
SHA1 53f03f4dd4f5027e94352d558ac0b7b5507bfbf2
SHA256 dcd7393650a95ecc2fa861565012e56688aaac9670c3dadeed3d9acdd31a8c27
SHA512 e131f210dc3ec15f8bc6329668a1b7e1c388267b5024aa71a4d07e134c312558ee257689a8ac4e35056f14a376c9624798c3802c9f3c6868ac0415119e5b32b6

C:\Users\Admin\AppData\Local\Temp\AgEg.exe

MD5 c2e42e1b5a5cf7dd8fb4aecf18acc716
SHA1 de55971a16cf342d8e36aa82287119bc30ceac26
SHA256 05d2a0ba3fa76ffa81c5af91ea48ebd7755263d7b27db690acb310ca2f6b30d4
SHA512 f86a4656e2d02a027de2f671f050c378f18a90609b0369aeae017acdfdb56fb68888ec5009e104d975f0eb1b0d8566fb6266b34ed0a203abed03dbab83e20160

C:\Users\Admin\AppData\Local\Temp\qYsS.exe

MD5 77eab9f5767e244b07e8c010ea77d426
SHA1 ca419f21394bc99e6628bd4554d5819db7039b67
SHA256 496324d757048e5ab8123b5d28d87f4ca24aa280cca0251534357b5228770f23
SHA512 3a41d2a23e8c32b8a945f91eaff8460c3ebfcb577a7e543f688882eb64895dd759b32225c6c4f1ffc6ed7c391b4ceccb7c0ba377eccba17b2c57f6444e65ce4d

C:\Users\Admin\AppData\Local\Temp\SMAG.exe

MD5 6a9570e5702e10679c3c845337e757d7
SHA1 0da1467d0bf15a800b1afc31b6da5c899afa3472
SHA256 5ad6556ce50b236fd53d08d77fd0291038cade9b543f4f4b24436f7d058c38f9
SHA512 1ed0c88b3aadcda9363e950a26a10ae924b58878e131988b620579eb1b1c1c7f5802a6d784037f9a4b77c091ae42d0b08182d7b80df5042ef367738d398aee6e

C:\Users\Admin\AppData\Local\Temp\UoQg.exe

MD5 56bee5f1b2b76c5d994fb8d92f059425
SHA1 e7e16be240c68102e41f84847ad32833c3ab59f1
SHA256 6137b3e48578f1500625a24100391d4bd7b81c49d1610ca384a55b9f68febe43
SHA512 e2ae9e78ebf44fee7c1b72e13951e9d6fabcbcd94cc898d68b5cca9f474de98672a9225d9867200847982d748dde282f47762471c51c897b705169cae2026a8c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

MD5 7c4a19bab9ffe9acfbc120cd2213e930
SHA1 60ed0c18be70c47b03ac1b8f393c4bb98fed8732
SHA256 48975f477607bca15537c3607fc493bccc5704b94af7dd8f0c81c65ea347559d
SHA512 9522015bdefd2a72a32f7a36c4aaac72c6550106b8a1c6cb1f7dc54e5f6129759425e34160c1b303c1d9e93dcdc62dc8a1b238a5ffcfc85bf4c06809223f5211

C:\Users\Admin\AppData\Local\Temp\IAUq.exe

MD5 c0f18fca54e8f84825cae1d2660cc0de
SHA1 39a20230526a14a5168c22009b4c4f38a38c112d
SHA256 5a5db53b20274192497d328ac640111417bcf66263ec8b1d634c5ce7cde05675
SHA512 cb1e9b1e3ca70981150a855cb807d8ce8a779ed0d8cec0829889804e67daa43d7378e81db55d0c6bec47c53d8b0b1eef407963c20595dd795ee56372d131d86e

C:\Users\Admin\AppData\Local\Temp\wwYG.exe

MD5 5d0a7531e8fe5d44d3ee36ca41916a3f
SHA1 c7c052698c361f7916fcb6c64b5805980bd19cfe
SHA256 49930059438468dff4ff4a4d452e1c88048d0fd1093d4f1b1e0866cb29f1f238
SHA512 991bb3a6cc6f35e1627e0e0a7736e68b93d06992dbba81cb05f1aabea647410a7cdbd12673bd0fa060fff9663cee364af3d499e607c5f47a800972a317b31c38

C:\Users\Admin\AppData\Local\Temp\eMYg.exe

MD5 264060ff2feeba103004ddfc6b55ea56
SHA1 417e1a67fafc8cb754479bdfab8c642865bc5d64
SHA256 265b60d79b8c5f0a801080e19fa38dd8a33154ebd5eee3a1e71efa23445fa235
SHA512 4a02cee307446b960c72b3ca3a7a615ff96cb49aa2ca1b22017332086373917ffb73767e08d1330c767a7519b6715b4846f81ae30f32b242dfc6d3e7d7265c91

C:\Users\Admin\AppData\Local\Temp\MYca.exe

MD5 08bb8cb74f4911e17c65befea4166dcd
SHA1 35d94e29e6326bc1c5f6ed066ba124530ca9491f
SHA256 287cb70d839585270676dfa9442034b1c72cd85c5cf42a53218d8193b44e94e8
SHA512 ce7afc9aa94a215b11bdd831d5fe3c0aa1ef3cb4371d35afd56002f721de85c229febde928499fc7884614c1942a825edf69b817562d56d28f3f08b64f10e6a6

C:\Users\Admin\AppData\Local\Temp\okEU.exe

MD5 e26285f7990bf252127ec8bfc5aede76
SHA1 594f50fb01d6d1ac31818a9681311b5cd7391b1e
SHA256 e4fc5d6a77fb69db7b87dfdbc15b122c673bd94ebd010c6e5d37f634963a3976
SHA512 914c1385e3e11dc660bde9587f5bb8af90db3d128bd1dff7b7a578aa3502ca65773226ead0bded0617ee8571d3d3d8c64ea717e1687b1f8a738ba8ba6468872b

C:\Users\Admin\AppData\Local\Temp\oIgc.exe

MD5 bd5cc01457f35b3c170ecd8e6543a9a4
SHA1 3742f767e82a483ecf87c7803dbaebcbb0dc8388
SHA256 c158447ecbe4cb13f5a5db6b4df83a1fb4ca46ce019b896cd0e5fd4557085c76
SHA512 f3d037a1875aa06dd64fa085d4f9cebfc47bc9c684e8353c2952bbc37b2ce930942bdcae958c39e61e40ba00eaf1584c5333b2c6945cee0410f2918690cfa675

C:\Users\Admin\AppData\Local\Temp\IsMk.exe

MD5 c0e1f9897c03f1ab1211b0ec59d4c5b4
SHA1 ee12444ec77bed60216075467a7d7f3208d1a70a
SHA256 b2876cbbac84323a6a27caed000286237fe929de29b25a13aaed84e791e5b301
SHA512 b969f8557d0397922700265807ba9fe05996d5eec008159e61a813adcbf2e5dec4086a26f367c391bc060242ac6a444ea75c22139a1edf00b75d583e6ca6cc95

C:\Users\Admin\AppData\Local\Temp\IQQo.exe

MD5 1021581706da64dc51704a9b1ee5f57f
SHA1 3364a549d7406e1589615f7c20d9bef1d8bcb7be
SHA256 66e8f4c8e77c39359a6e83a4c5c679722629c513f31fa9e079ed288446513e87
SHA512 547f7de9005794d39c976efb60a497e439801c73ae4687b133aadcea6e0fe990dc5c91b19681f8836745747ffc518ae5a9baa20e00a9f98b673b6cf2fdb7bf4a

C:\Users\Admin\AppData\Local\Temp\MYMs.exe

MD5 7d7ae93eb4465183d458d6b8461929aa
SHA1 37bc432f56d8cab63a0217dd6f50e8b51357b3ac
SHA256 f477d4e52c0384807dd2f755e357e0cf8ce2d85a9ee348fda9db86e8d78f71c4
SHA512 58c6f4595154b46242ed8043601232f9cdbfbc3e7b272bcb75138cab35e1287783d05cf3c9a2cae9aeb6c35d91783bf95d6adc06241ea36e91ab56d2a1247e88

C:\Users\Admin\AppData\Local\Temp\uYgU.exe

MD5 846f729c891be3aca942a077eb3ef2a6
SHA1 0d12e47eaf42b96da48a56a6d83ac420f0657967
SHA256 e4fecece898999fd631c082405d63b93ffc4296caf12f0b0ca0985fe970df652
SHA512 b7560add65efa8d9ddbe625da3d90a17b891fdf093f23dfed91e2578536468d4e3a15c8f0f126d7972cf0eeebcd511f329a24bc570095d441950dd496c1323cc

C:\Users\Admin\AppData\Local\Temp\yAIK.exe

MD5 2fa1b8161764cbf95aa04c25081de7f6
SHA1 6d39e633434997167b7d3da17bedcec114d604e8
SHA256 828b0d47ac4bc31ecc9772202a554bfeb867fa91ca588c6fd4d113ae01d2f144
SHA512 d9747150964cae5f04f65e24a0ff35578a77b81ccb5d97914f4f1dcfec340e790560dc4789c41aea63d2ba36ccd9fe34e263010735f9e76801590b8b8db6491c

C:\Users\Admin\AppData\Local\Temp\CkQK.exe

MD5 e4cbb45bf4ff3c21bd846e4867e3d0b8
SHA1 6923567be25976ad704bbe313a0644ad5e594e5f
SHA256 58321823167dac852c25c94760f81c5b2044bfb33aca2fd8b73734e884e859ce
SHA512 0e93289931702ff888f622f6d90191d9f5272278629844ec2fd0d523afd64f8ef774c5f39e643586a5dc43919a16c5de97397ee114b9e69c1d5b8e0c3f6dbdb0

C:\Users\Admin\AppData\Local\Temp\AgME.exe

MD5 a0d47ed3a30f232fbe27513fc1905619
SHA1 5bb1769d5180742ea0d86d53aefbd6e9207bbdf1
SHA256 b8ebb5caec29912e5c24a015a1277f1440feaeba27aff016af336629f04bb6de
SHA512 b0172172c69ce4b76306e94c36529f3e2fbc38718049c8fe6a8c059d5162595a7ddc9792ade974bd5d577dfb3567e38ef61a12f6766c23329b3e1ac651294fae

C:\Users\Admin\AppData\Local\Temp\IEEm.exe

MD5 74b5105fe863d9e97d44086276836267
SHA1 1dfdeedb3babb81f37769c63ef0371af8e9caea1
SHA256 e46170924b805e6dfad0c473f21d3980cb2d01be53a1221fb33aef191c816eaf
SHA512 389868d9568766b2a364beeee5545deaf70f0e171a25941c42e5c5c6f6d490719e64b9978b9fdb3662fdcc78c3f5606707a01990de3e0dc2a68a1eff56642739

C:\Windows\SysWOW64\shell32.dll.exe

MD5 2de096823e34462f586d3e23cc714e21
SHA1 5bee84f2a65c494aab0dfca8eb07fd3a7aa4c064
SHA256 bf723aac71986704dfd11e1c42c000f2434a3019dd561b467d4c637378553b17
SHA512 dc4a931003216f4e956c5a8ba8e1a1457e3caa15aab3afdde57631393c57fee6a62995a7a71f48779ae587dca8ac4b61322cc81711b0016f6cabc41e79f8a858

C:\Users\Admin\AppData\Local\Temp\YIUE.exe

MD5 a77d17c2fef08086398e3196f172af4e
SHA1 8fc3ca575965d08ee1b993c87c3c3b015c03a159
SHA256 c42ef76d884ae43fefd6ae0a99b7587873316ec52427be1935a9e98e72f5a87e
SHA512 fa8243b8bd64d7b42ee68d51bc32bca5c540f863ef23a5347dd52b39ceebdccc28a3617eeec03111cd988e220e612320cad9740d9f70c5ff3e12e1e3b5218402

C:\Users\Admin\AppData\Local\Temp\AUEk.exe

MD5 69bde01bb925332543ce965c0ba13e3e
SHA1 fd37f589b84bd98812dd98b26c24d440b2f88855
SHA256 23626631695f2c4ff0582f7dbe715d0aea38219ee2df5c93c05aea601372e1b2
SHA512 e749efb9ef79aa527e6462ae12c98aa69d08267c3f2c1746bef2a9abb26b75fa948c8b41ec24feb6e8057c7205801db23355abf34c0f1da10a0d4166be0f1e89

C:\Users\Admin\AppData\Local\Temp\Mksg.exe

MD5 aaadf12bf71c297db98e2fd7de056db2
SHA1 7d869d096a7bfd5f43c2b3238e1a04db5596b641
SHA256 00998f3166489004a96fdd5b8d5f4be1a1c128e79a02d6b3bf2074fca57e06db
SHA512 e0eb18e50126217dc14da7ad14a115e81455535e15d60e945008926ba5b5204067b878ebc8f3a063f5da8ef8c0e954875c7d8e36b44fc853c8f56c2eb61e51f8

C:\Users\Admin\AppData\Local\Temp\OocK.exe

MD5 6d1d0c6cbf2d6ee46951b717a1f2d036
SHA1 db2fdcc683e17b89123ecadcf6664f33e6008b76
SHA256 855119727c70440df418d3bf651839a93f525524a947c8dc0b160c8c3ed47c65
SHA512 0a16dac67ce6859258818ac58ef6b1c8fe4620e82231278d2426f57c656801cfc02ee981e0089e15303485c79a9c4e2238eba27f9ff26a80583e0c6dd811e766

C:\Users\Admin\AppData\Local\Temp\Egwg.exe

MD5 04f0111065a3e3d55b8e2643de6bce9f
SHA1 198000a96c8ddd03422d95a24e9ec10db4befb0d
SHA256 8f7f0c7b822e1d2e1732629884fa456189520af035013a0912ad5ef3ab3398fa
SHA512 c9ac0b271f206a3d52d684952fbbc461a7104388138e2ec24977adec6fc658d1b8d1559d57144100a3000c1b33ca10634e02d9bebb6c891138643aeca0819e47

C:\Users\Admin\AppData\Local\Temp\UoAM.exe

MD5 9cd02c420eb4f21b51f2ff8972952cc1
SHA1 dab8c0d6d3c168d9dbc5ac094f7fb60d41b6cffb
SHA256 df3bd5176636f2185b60c00b0a1046238105ac246e80207830dad01ad3774c5b
SHA512 fca66f569a34842853ce6ed8f474fc5a489157e6b813f000a23da9b78e453bf6433788ba13f7688096f3b52761ba7f809cd4ee66c8cd34f0690858f25d328ebf

C:\Users\Admin\AppData\Local\Temp\wIUo.exe

MD5 6f5f5a0764ef298fdd42a2deb3ae7413
SHA1 05bac763c3b5ccbdd418019e44fc6b25d964aa63
SHA256 3aebb085d350383536d81b0af2c250ce8f82605c89a1b510ff6fdaa4bb2c787b
SHA512 01bf7d56fa8834a721f2e17e387e66776b87a12d3991b7a98d8dc6a795bf3b27d7d334796601ce20690c26249934e92642fc35241a7f5a2225ee389aadc13c04

C:\Users\Admin\AppData\Local\Temp\aQAQ.exe

MD5 83041b745b4a181119aeac77af145fe4
SHA1 4cd6d993bd67e0173e9e62b159f032075692f0e2
SHA256 0db927be4beda88768d2fd00bf8a4fe377769dc75ac66d929f1bfb7f8d7e74ee
SHA512 6e9b98f8c4c41b677239b3a55ef634669b42f99bf7a680308e485970f129fe7143ecde73f42de82c9e9cec5ff639fccf70ae4365417b3e638032f65c20675067

C:\Users\Admin\AppData\Local\Temp\Ggwc.exe

MD5 d2e0168a716c3e17ce2f3a884f6c6d4b
SHA1 1e6cc270316e13b9896acc9826d0e4f186defaa0
SHA256 b27202d2a72d38dcc28ae94e8f08e56b9ca6ab5e84688cdb1640f47b3906ef0e
SHA512 ecbe0dbf3e4ff4fd46116f4589a53ecc0fbf5429ed12606e2e5bbe65c496c4319988f838c0c189400ae578fcd57b776df4b75ac49995941d4304f02076774fd1

C:\Users\Admin\AppData\Local\Temp\eMAU.exe

MD5 4fb242a8175fa18b37d0d636794453a4
SHA1 ce37598e11c54c26a1f79c66468f239a5c6fb30c
SHA256 02499a0b3f7aeefe069367954c4a9ca1e129e08bf735df2094c23c9760ceb82b
SHA512 8964b45d00df94773dbf063da4e67b6b28aea3556e1a154229147c99ea28fe41b2341660ff2d53671b9030338f8ab9100d31c7666ae5e71c4684c4271dbd7e5a

C:\Users\Admin\AppData\Local\Temp\AwMu.exe

MD5 b39466e5c3d34c01536ad91abd9bd56f
SHA1 5eb10d18227754f4708f85dcd60229c0f77ee7cd
SHA256 8eb82c52aa6ebc451dac3bfc415f667670768d685baa1d584f608febe426af89
SHA512 57d8dae169167359a4dbac7f14db68752352b3bc43cfabcf81772d4b5ca1d779e37772e8b00ca9d63d00a8ccce943df59237b19a326dd6878c3da480c47dd2c4

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 13654587cd378303df8e8665e5ba8b83
SHA1 5aae2701f4213802539a32b8493cfd3ddfd6dfd4
SHA256 d34a33276ff3a9a5c3b6700959c7d6ee6713f481ab4dfe9b672ae24550ff492f
SHA512 d3f5b701433cf376c92ef3693676c4ffdcb65223a54f727527e751950ffd99a19dc6972658429a49f1e694ef0ee789dfe4ba34f115775e444a90d6f29aa450d6

C:\Users\Admin\AppData\Local\Temp\cQkg.exe

MD5 a1bdc90553e3b09744005a5dffb7a1aa
SHA1 fcd6fdc9d33c3a3a9b2f8fc76a0c133ce71591f9
SHA256 8ee2e43b5e75122cefd38d81d14fb2859ce62e62a57315fb4e99aead51c36458
SHA512 afb286345afca061d7bf91b20397fd1f8607f1781d6640806102a0d4ab4beb04e9583986728096762adf7d9617a48414f6362042d50da8f8e1185c6990641a74

C:\Users\Admin\AppData\Local\Temp\Ywss.exe

MD5 83a24d421d93979ca4e3a7bc62ef41c2
SHA1 328eb0d5aea7e182856ad7df957d11975ef30040
SHA256 eea1973220e0c26d131f0bb943394ed3020e64efd260d7f5daad24bb0b0c0f18
SHA512 3fd13e943b9fed76bb8527a93a2c24d5e0e9d2636f392a9d6e71863911c21317ca86f6ca2c74499204471782f1303ff2aa7c97ceeb5bebbfd1cfdeb227f0276b

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 f9bd2fc860de17dc8e5da252cefb88fa
SHA1 03e3af924b69c14333fe290df55a70fb05a04458
SHA256 033c7143466333aa416f80aa58549ae7a3638c34280fe0de30677db4494c0522
SHA512 83039a148ab821ea1d818bd76b80608c8daf2af062afdb29c8b1b5708a6ff346b1c1836e632b156204cad790ae0cc42efd73907ba47db9e468501e7c0daa883f

C:\Users\Admin\AppData\Local\Temp\aIAK.exe

MD5 9bb44b75d309d118a1cdf10ce6e51fdb
SHA1 e96669d58abff3ae43dbfbc4dfa097991b258801
SHA256 7b43a52ba08978cf77f28fd6f983ac5d2f947bf07ece40a6d5c38a1edcb7211e
SHA512 97d9fbfe902dcf3c7edcfe6c61047d49d3e24dce4590a4f2b390f37f5bd83c626fa16795b7716a55fe90ecb4eefaa522735a5ecd980b049734e01b68d16803eb