Malware Analysis Report

2025-08-10 20:09

Sample ID 250518-pbqqzsdk5s
Target 2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock
SHA256 f1f5aaf209f61e8c50313fe2356e5d2d64035dc33ab435e148ed14c821b112f4
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1f5aaf209f61e8c50313fe2356e5d2d64035dc33ab435e148ed14c821b112f4

Threat Level: Known bad

The file 2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (86) files with added filename extension

Blocklisted process makes network request

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 12:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 12:09

Reported

2025-05-18 12:12

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (86) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\Control Panel\International\Geo\Nation C:\Users\Admin\FscEkYAI\GMUIkQQg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\FscEkYAI\GMUIkQQg.exe N/A
N/A N/A C:\ProgramData\CeIskIMw\jAYIAUgM.exe N/A
N/A N/A C:\Users\Admin\FscEkYAI\GMUIkQQg.exe N/A
N/A N/A C:\ProgramData\CeIskIMw\jAYIAUgM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jAYIAUgM.exe = "C:\\ProgramData\\CeIskIMw\\jAYIAUgM.exe" C:\ProgramData\CeIskIMw\jAYIAUgM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GMUIkQQg.exe = "C:\\Users\\Admin\\FscEkYAI\\GMUIkQQg.exe" C:\Users\Admin\FscEkYAI\GMUIkQQg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jAYIAUgM.exe = "C:\\ProgramData\\CeIskIMw\\jAYIAUgM.exe" C:\ProgramData\CeIskIMw\jAYIAUgM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GMUIkQQg.exe = "C:\\Users\\Admin\\FscEkYAI\\GMUIkQQg.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jAYIAUgM.exe = "C:\\ProgramData\\CeIskIMw\\jAYIAUgM.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GMUIkQQg.exe = "C:\\Users\\Admin\\FscEkYAI\\GMUIkQQg.exe" C:\Users\Admin\FscEkYAI\GMUIkQQg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\FscEkYAI\GMUIkQQg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3084 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Users\Admin\FscEkYAI\GMUIkQQg.exe
PID 3084 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Users\Admin\FscEkYAI\GMUIkQQg.exe
PID 3084 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Users\Admin\FscEkYAI\GMUIkQQg.exe
PID 3084 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\ProgramData\CeIskIMw\jAYIAUgM.exe
PID 3084 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\ProgramData\CeIskIMw\jAYIAUgM.exe
PID 3084 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\ProgramData\CeIskIMw\jAYIAUgM.exe
PID 3084 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3084 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3084 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3084 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3084 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3084 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3084 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3084 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3084 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3084 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5100 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5100 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3092 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\FscEkYAI\GMUIkQQg.exe
PID 3092 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\FscEkYAI\GMUIkQQg.exe
PID 3092 wrote to memory of 4764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\FscEkYAI\GMUIkQQg.exe
PID 2176 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2176 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2176 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3660 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\ProgramData\CeIskIMw\jAYIAUgM.exe
PID 3660 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\ProgramData\CeIskIMw\jAYIAUgM.exe
PID 3660 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\ProgramData\CeIskIMw\jAYIAUgM.exe
PID 2528 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\System32\Conhost.exe
PID 2528 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\System32\Conhost.exe
PID 2528 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\System32\Conhost.exe
PID 396 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 396 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 396 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 2528 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2528 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4444 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4444 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2684 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\System32\Conhost.exe
PID 2684 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\System32\Conhost.exe
PID 2684 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\System32\Conhost.exe
PID 4128 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 4128 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 4128 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe
PID 2684 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe C:\Windows\system32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe"

C:\Users\Admin\FscEkYAI\GMUIkQQg.exe

"C:\Users\Admin\FscEkYAI\GMUIkQQg.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\FscEkYAI\GMUIkQQg.exe

C:\ProgramData\CeIskIMw\jAYIAUgM.exe

"C:\ProgramData\CeIskIMw\jAYIAUgM.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\CeIskIMw\jAYIAUgM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgoMgAwI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Users\Admin\FscEkYAI\GMUIkQQg.exe

C:\Users\Admin\FscEkYAI\GMUIkQQg.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\ProgramData\CeIskIMw\jAYIAUgM.exe

C:\ProgramData\CeIskIMw\jAYIAUgM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAcsQoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAAggIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMcMEcMw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukEoIYMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWkkgwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McsYkEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIkIgQok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYQwcYko.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAgUooMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsEoAosU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmsMIcMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKIUskUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAIsgcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEUEAUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkEEQUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcoMoUko.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQAAEoog.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XScQIcIY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgIAcIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgwcQskI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQUQckYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCIUYMow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUMIkQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOYUMIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgwoQUco.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuUQEcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmsYosoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqoskMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmwwgkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiIwUYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deUMkUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOggQAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgwsAoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAcAUoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAwQwMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iugkIAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EecgsQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaUgUcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vccMMksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWIgowog.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMcgMUUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkUwUIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSMssMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEssEgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIcQUkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAoQYMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqIkcMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCoMIosw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKwkUIIk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKIwwgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSkcoAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEccAUko.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psQkgYos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgwAsUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmowgkYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqYcQoMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaEockIE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIgwUgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWYkAQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUQcUAUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkAUcwQI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcQwsIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKQswcMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usQAMgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKkkYQAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkYcwYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGIEcUss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkIMgoMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMwIYkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuowAQso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWMkYcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkkQIUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NokUYwko.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqwcwMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAIwIgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEYEwkME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUYMYwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUQMscwI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoMskMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkoUwQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEQowAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMsUkskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqgsMMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DucUQEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGsEIgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiIkcoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmAcMgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAkgowsc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcwEQAYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwcAsIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HggAYIsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgsogEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsQgoUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKQgocUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqEAAwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCIUYkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMowccMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsokcsEs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMgoQwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQQUkcwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAEIEkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GocAIwIg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUgsIUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JoskIIsI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsoEgcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOIcUAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWIgIAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyIwUAso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWooocUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWsIsUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuAAYkQM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toowMQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgAkkowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsowwIIY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUcwQEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIwsYQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQgwcoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryMgAwsw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkEcEkkI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiMcUUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwsQIUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIIIAoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soYoIUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rawccQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe""

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

memory/3084-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\FscEkYAI\GMUIkQQg.exe

MD5 9b519a83a3d183dbb21b52d4e13d095e
SHA1 5e56cb041ebe61d4dbf769452c496afed8e0e8c5
SHA256 03ad0420e438c2ac803e41dd6a34746343e2056300773276e05ddf98ded528f7
SHA512 303b780a955f671c1fe894ba03b8953c3c864e33a13462db808076708c466510673a4a36b3015af63477e11b8738131ce972b792fe49edfb6f9f6e6a22fb68ae

C:\ProgramData\CeIskIMw\jAYIAUgM.exe

MD5 2184ddbe6bd1c7f7dc580a168ffad9c8
SHA1 aa2868ccd8a60195b1b71dbb523f2eb7c1978b7a
SHA256 b9d1102fc63c71ecc5a7dee8f944e29c54ec5760e5c173f79b4e3c4c94553087
SHA512 89192d28315ef5aab9ba43a859f745ecd6c4f3183954478bd77b5e96265722aabcbb4c6332fb145afbdf85ce2f2b02c4b0f15b46f13f2994d39a7ae8b745a42e

memory/2252-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3084-19-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2900-5-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4764-25-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgoMgAwI.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2025-05-18_b77e4537856ca9970675e2cc74539e4d_elex_virlock

MD5 96b5a5aa81cddc217e02a83da419a8ea
SHA1 2f005ac25837210b71780fbf0d44b1b1da873749
SHA256 50bc79f388a6f6a3abfd401ede993aa67626207b6ab63320fd44879ef73fda3c
SHA512 bcbfe061efd4a2e60ae16f0ff2432411b3a23b5644f52b596e9b47d699933683c93e0174107520b60c010504c070bbc41aa3b704798ef400c3ddd814fde271cc

memory/2528-36-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2684-32-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2684-51-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\FscEkYAI\GMUIkQQg.inf

MD5 240859ea1a2002a64e3e657b919be0ec
SHA1 fea0f5f6671af64d30c0a04842a33cd358a31675
SHA256 4dd67b7d6c15df792eac64730dcd5376130728deefdc3243a8a0b77a9b870ec1
SHA512 a35cc1e9abd7566c758e64bed2f4fe66a333da5564b3f6dd7f159ab64d23e5788f6a57fa3423eccc285a50ce3066dd32adcb0f2b8bb2e934c82bf2db56b7d008

memory/628-66-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3448-77-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4156-88-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\FscEkYAI\GMUIkQQg.inf

MD5 f92ca36a3f8c6b30004c078323013624
SHA1 0f178fc554f19fda6a2b1370ca0eba0c4f15af16
SHA256 4502ce65501ad9d2780a900467c0d5ab84161956ff8cc6e5d4e863041414f51d
SHA512 0a9d4555cd2e8014d342062a81943d5402453b37b8808cc45c84086a38e5d3074edf0dde50eda989ad6411a7c3aa54ff60a9d6fa22536ef79ac09885b6d6f4db

memory/4872-103-0x0000000000400000-0x0000000000436000-memory.dmp

memory/368-104-0x0000000000400000-0x0000000000436000-memory.dmp

memory/368-119-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2908-130-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5044-141-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\FscEkYAI\GMUIkQQg.inf

MD5 e4d2b4baf24bfc8a0eeb056dede48cd0
SHA1 5ed957bcbff9dc2edc87d85a485bb24a02140c9f
SHA256 0bf275ca25b06a15deec6aae347c7e23025412bf250d2898a7ad6174fa6fa583
SHA512 319eeec058dc533f27b6a65cbf1e446d1ebae73420b572a6a0c8f7c03582e3dd043dcc8882da29ef3e7a86d5acbf0194fa5b387b2fcd7b1e303218c4d5a6bd29

memory/4816-156-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5088-171-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2536-172-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3452-180-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2536-184-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\FscEkYAI\GMUIkQQg.inf

MD5 b0be8288648c7126b98bda4d54363ecc
SHA1 4919a5651267af25465540413c9a8b252f032657
SHA256 833d321fb4509cd712221814058a3fdd6adcbaf06ec8b4477683d0efc407ecc8
SHA512 fcb1b9557b74027fa76dff1404623076487e1f4728e2fa0e4d2b5b38ed6180d0498569164bed384148623f9bb7dd347ea1cae53a90e125dd3480c61d3adcda29

memory/1160-196-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3452-200-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1160-211-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1440-224-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2536-223-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1440-232-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4648-242-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3144-252-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2036-260-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4184-268-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2768-278-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3068-286-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4360-296-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1964-304-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2260-312-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3932-313-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3932-323-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2176-333-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4056-341-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4584-351-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1528-361-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4628-369-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4564-370-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4564-378-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4828-388-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2012-398-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2780-400-0x0000000000400000-0x0000000000436000-memory.dmp

memory/784-404-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2780-408-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-415-0x0000000000400000-0x0000000000436000-memory.dmp

memory/784-419-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-429-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4424-437-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2876-445-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4576-455-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2156-465-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4872-473-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4296-481-0x0000000000400000-0x0000000000436000-memory.dmp

memory/736-491-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3452-501-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1352-509-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3488-517-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2912-527-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4628-537-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3152-538-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3152-546-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4872-556-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4224-564-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3896-571-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4704-575-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3896-583-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1064-593-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2752-603-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1196-611-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3644-621-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2428-622-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2428-632-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1104-633-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1104-641-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1408-651-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4352-661-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5100-662-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5100-670-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1220-680-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4892-690-0x0000000000400000-0x0000000000436000-memory.dmp

memory/736-691-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4576-699-0x0000000000400000-0x0000000000436000-memory.dmp

memory/736-700-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4576-708-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4424-718-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1044-719-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1044-729-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3016-737-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4820-738-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4820-748-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yogI.exe

MD5 9546ef93d354c6a3d6bd4dcdfbce8c45
SHA1 2eda637420bb3f643f5cc7f52e4b9a0767b95b87
SHA256 ac96e7047ea994f59088589a1a8e41549d55dcfc71a7046bd40df3afe2cb3515
SHA512 44ed79939a967983af270f72a6d400472816d9af37b6bcc121e64ef5e70fa677e09db8de595d6f6df65c0d8fd26cf28898c300c490238d1f786d33905914578b

C:\Users\Admin\AppData\Local\Temp\UMgg.exe

MD5 62fa1826aae1e87b3bfb0829461c5db0
SHA1 817529db0750d0c50b3d44bf57b9bf06edaf998d
SHA256 149bf225c57cb7bc2e3852fabb0b997e7c01602b7488e639ea638a5beecf3ea9
SHA512 f00e28d833102ed17c26fc54cbd091954ac1dd38abf0e116f65d15b6a2915dd541ae4b8725b48cd35d782c81bcbf3a9e9c4638ef0098275ff94424b1c7cedbd9

C:\Users\Admin\AppData\Local\Temp\ooMK.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\iosG.exe

MD5 acbd8d465ac63f0dcd863373889bacda
SHA1 3b89005105b60018b2c4f92ae64fc4bdcb219511
SHA256 418ce6d01b7c2eab2924867236f4df0ada80dfbf457523e2becb2aa9ccd57634
SHA512 4075842fad6e385b378df930a7b064563ca7ee2b27ab9a1f4205e688455d2cdbe1b3660c8047bff9844085ead6f9b080747ea9798f2bc4d779a74fb242bbc6eb

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 3fe7190afaf0ab76d84a9325459730bd
SHA1 50b253842f326e09e50945e55d0eaf357c57f69c
SHA256 53939abcd2ec765758be1584d582c1b13983e22b70bd2786084261ce86a91793
SHA512 707561df1c8695ccadf3bb8a1c7b566bcdf00fb93ee6929254f581ccc3f661c63808374eb1eaabe30639b72b55847a26f7af46111d3e7a34163c1c14c6775f09

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 1a00002b7e29047e8b442f8e796eb275
SHA1 4e483cd6b931167bb6c0c99f932f63065591ac24
SHA256 c65f56475a212be51391052f09a8cebdd9954e2395f384176f1be28613bf9712
SHA512 444f37b0fbbf8a904da4f640a26f488b4cf36e1d804abf0c9bfcf7b2967c4527548644d107f549805a597dd1ebfe02cbc4d5badb9d53a64d899debb462f25cbd

C:\Users\Admin\AppData\Local\Temp\moUG.exe

MD5 e3f1e56c29bd727c1d161c5f10b37dd7
SHA1 0b9d72a930cb775b44fb1fb4b391b4be0fec80e7
SHA256 828849f953aa1042d763492c250c44bc8b8c5fa7b398fffb7992740140694189
SHA512 be9e16780ca9593d9c573e5cc1eb2bafc75771cecde3e58d4c574344a7d2d55ef48a54fc987d31c249d59d15a27d9fa6b16222559d2c0f7397bd92987beff4a2

C:\Users\Admin\AppData\Local\Temp\SkIy.exe

MD5 8a6951a5251e157107d1efb56841c58f
SHA1 ad2f79c4f3bb89e8819b9ecb58f3073e8a01eab8
SHA256 4aaef5842b8613a2a4661abc96b2572729392e52133316bfdb6d5298edceaaf3
SHA512 d0c040cc7e15ccd6c9529b2499ca3ae8ce2dc3ba92afc41cce7ba3c0a7e8fb42e30655ef547bfc737812cf2274a576c8b164dd1ddcc981495ce36da13a7fbce6

C:\Users\Admin\AppData\Local\Temp\akcI.exe

MD5 5d938eef8d0d57a1215783a0ee0efbad
SHA1 3b9dcf65f273bf96a1255397074229e2368ae763
SHA256 85aad83bda50c85aa5a17e8ae13bf3fc1ffe8a881dba87dabb4e0b17deaa9091
SHA512 5bb80efa2bd4ffa7ba320db2db41312d46ae1af07051bb9c12ab21d7282532c12b2efcc4ec575395e63c2edb96e04d6467a9b02913a9dfc170ab054ee9d67b8e

C:\Users\Admin\AppData\Local\Temp\CUku.exe

MD5 ed7df22f5afade8158c599ac147ab5f2
SHA1 8c2770be18978ad70684dfb4123f4c03721d425c
SHA256 43bcaffe12d602c2f3b094ce9b27d48753157d8d08d108706925c92c75feb586
SHA512 094a091b06330613382bd0b348c3dddb50814e6510399e61653ea8e2ffc90e439be598818adbb2f79a914d4bc01aa7dd56c2517611ed8917a49bf9eb9b8ad286

C:\Users\Admin\AppData\Local\Temp\SsME.exe

MD5 b307e467ab49ed689cefb7753a9bfbd3
SHA1 7a1af7d0b788fa31e1bc5b4fa333aa275423d30e
SHA256 8af407fa31aa99c97824b5f9004c7ebd56255e7c24f9ba5c12ec82d86756b64e
SHA512 d965c46513c8cbf28fc956b5a1f7b5a4d93a8d64f80de555cc04f98c4551e584b7fbd36e7365b7c55f96ab994f9c493200e58a1c9561e288ddddab964e8644f4

C:\Users\Admin\AppData\Local\Temp\yEoW.exe

MD5 be0d51e8e553211536cae888f2b8baaf
SHA1 df7e4441e3c83f583d7963c7ddf455be85c5d787
SHA256 62dec1be5ee62300293f394800295ff165702096ecb051690b555098e7cb0110
SHA512 667baec0b89abdfea643d937f77efdef0349ce0ae5d22e7cd723991f5b8f47d3c56fde4ffb16ee5c59a28511aa1f9430bec1c3b4b13e793da90de2b518e42ef0

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 1066361a7226c9749c95678c85bc0375
SHA1 dba5f61f4a26fbd0f3a15315897a7657a3650513
SHA256 07c3d9d1e534af15af5748d33ecc4cf7b246b406a353deb5974ffd285e4c9d2b
SHA512 b7f22e13c70ee7c9a7d9e9c9839c20baae216af3a8e257b80f1bd73eab5498c3114bb23b21544fdc58a53ca152ffbae2c9f99417221481ce2affa09a1e3dabea

C:\Users\Admin\AppData\Local\Temp\wwsU.exe

MD5 8c619b56d400f3104dea74527d0abf85
SHA1 bd25b51deeb4d33b72b5325405e63217d389d3cf
SHA256 36834a9c901589aea203e7959588c7a73695942835e0953dd52c54c2dc5aa320
SHA512 73abd0fc285a29b69996bfb7bf90b816092d4c59ba6a36d7231d5446f21935b9a70fb3a4d31914b1ca8075369fef3936a4a6188c927e540c73fd541b5566d200

C:\Users\Admin\AppData\Local\Temp\MsMk.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\mQIk.exe

MD5 2192b8fbcc521118b750e941a84804e9
SHA1 871c118b61ba57c7785b4f5bdf08f2d96077549e
SHA256 95fb9003a91d284390e9b45610b3ade1427d46872256346e40c7b06c13430b8f
SHA512 d104f09a0b318fb6dedfceee3988e5139773105ac517dbca5f2e5c22561e16e2bbcc62051748cac53a15af51e1a79ad296e9e710c4b81f025250dcee41594b71

C:\Users\Admin\AppData\Local\Temp\MwkG.exe

MD5 a5b07f3bb8668611a5118a5230f8b3c6
SHA1 882af291ae3044e34fdfb6bf9ac6f022792f8dfc
SHA256 961ab0feb5bf4ebe29ee4645a9fb94a3a211fc5ce9b9737c07d1dc910f1bd70c
SHA512 223317f2f0c6972f17b3491ef12964ccadad334f73ce3e7c788e4994304942f664678db235a326eed6de1d8fdc8c3cbec86df55b10746fa771e9e8a318658067

C:\Users\Admin\AppData\Local\Temp\cUES.exe

MD5 65cb90ae51cadc9c3a345b500d03921a
SHA1 9ab4132505196b8b899d4733495fcd0c885bd5ef
SHA256 a3f859bfd20b621c464523edc9731ad09a2d7993092f27b341f8ba1784c82de3
SHA512 1e6e1a386cc2f8bf662b36af0cb585f45a60ca8cbe8f435add59b91fea8af050f25d1a7d79780368c08d7b3bd3fe08d85bc57f04a2a68c38af803fe8ff9ceac1

C:\Users\Admin\AppData\Local\Temp\WkUu.exe

MD5 2314eb19bf72d9df506263334b5ade13
SHA1 83230a207b47638aa85f7a02a33f2560e18a74c3
SHA256 8334c6525a523cbdf264ef1f08910196523d96b0b7e0f90be257f21ad6e4311f
SHA512 2ed1e5b3fc808180b8d84acd8c957dc9271999d55dce7bdd1ae59caf824df989cb15e07e6646c0a2a802d357f930c06e623d5e7427b6bb42b80726da0c1a584f

C:\Users\Admin\AppData\Local\Temp\QsgO.exe

MD5 8e6cf01650736a29db6eadc129c4b1b7
SHA1 4b7b37f14a95c6ac06d67e7e3c543d1936345e1f
SHA256 43003fbd7d04c61bfe6c7788a6fc3744865a0529cecdd0c7437476c458e57536
SHA512 cb8486ae50fe9863a31aac6141db28c49885ecedfe8200cb1a04fb6c1331351d8f5c49152359efeecf7b5930b0a33e1b0d0f66f36bc4346fd6a9f499a551d35c

C:\Users\Admin\AppData\Local\Temp\MQka.exe

MD5 c7dc352a49652077ed656b466d228ab2
SHA1 9e9a8eef9375955879f1b81308ad8c72432fc250
SHA256 c0943e31ca7c2ed205cde83975bc42ce56ece3f844d996b7c92aa30663608767
SHA512 41c4302fd9c5667bed7ba3c2757c8281f1dceffe63d74726639df45f8812baf97114f1f872b8467fd96079194a669bb3c79a6a1fb423bcba40d3f7c10a555ebf

C:\Users\Admin\AppData\Local\Temp\KwsK.exe

MD5 bb91436cee6c2a09e6af8ef6dbc97d9b
SHA1 40d6af437bef5dda16c4cd3059264a26c50dcced
SHA256 687059dea401b9a076a32c954ad5be364f15688acdf1f2dc86cee0b4688af8ee
SHA512 6395728698e37fac041326122b93d31216b8be3be84e501507f7296b9ea28b624d55fe83c4babb199009589a5122f3b5997327dd4f5830829cd612d8de0591bc

C:\Users\Admin\AppData\Local\Temp\sAkq.exe

MD5 0609627ef65617682262661e155b54ae
SHA1 02dc6157beee6bc0280a4df71553190793b74e2f
SHA256 878bb35e3c0d56cdbcab9790d61c73ddb54308d8ba715ed3ce78c6ff6bc2b62b
SHA512 3b0e2a398748e334c8a43ca1196254366f96a5a8741f26374d2d5940d1192e1a3fcc6d09cae74e6c8d6cc23f0110f2b5b0018714a83d6ffff682bd57c0f5eb5b

C:\Users\Admin\AppData\Local\Temp\qokg.exe

MD5 fe7b797f3b01324d3b3d6bb14d09775f
SHA1 e1ff29ca798e6adf7a69b8aaed5027b0589b51d0
SHA256 0ff5a5f0f2138225df73d12b68ae411e34f8ce75225daf4b58ff0cd2bd99b851
SHA512 ad6e6c95734a36b8719e88a8ba782b6dbd4cc62f39bf2e7a4203eead613fb90c2a23a7317c10cad8d53448179a724f41745e588c5dd8099f227d3743cbf1f40a

C:\Users\Admin\AppData\Local\Temp\gIsO.exe

MD5 b45302d4e879d3d3c5b761ec53c7cdca
SHA1 302ce1c516e9940ecf9517fb56aa95e84dddf0b6
SHA256 dfc47b30987a3cb5ecb40ca40e1e81618d9baa863e0d16ffe7e391875cf06635
SHA512 987783108366828a8eb67961a863dbfd91ed466338b5999f358d792280aa0d0183922475ce876065fd08dee54dafbd6d5dfc33e2b6d7aceb81eb1cc36b70101f

C:\Users\Admin\AppData\Local\Temp\CYso.exe

MD5 ba00d27a217bc445a6611f9d33fbf70a
SHA1 fd1eb495af630bf05c94f188425499706a931f05
SHA256 b9b127e7b790c85b95ce3f2d815d4f037929dc3bd291d01bf6e8759903824a6d
SHA512 3dd728684c5a132cb56c219135ecaa22f4882c0c6e5e65ac6f751b0940e083e5f001c62216456610a28ae1f99ca933676bdaeed904a317864c26a0826767bbbe

C:\Users\Admin\AppData\Local\Temp\gIIY.exe

MD5 88fe77d8f357280b057a8eb5a7c40769
SHA1 1dc8188970639fe7fb0368a535eb2dc36e243288
SHA256 25f5c158cf53bb69256571556a20b85c298007d137043cc61dfd9922d24c8cd9
SHA512 6af11ef6f8614274f6c775583259151829096d4ea8d81ae97eaf9affeec0bd04b19ee09a3284204543d138bb3e103c3d9dd76fe3602875da3ce8fba3c5839699

C:\Users\Admin\AppData\Local\Temp\scgQ.exe

MD5 a77585fc6e21f871d65fa3f157552f5a
SHA1 c77f0cfd218947e061cd1e1b306e45e5d31e685f
SHA256 aa1b2955a80262a7b1a081d8a4db31ae922dcd5f19e48b2fef9482581b3cab6c
SHA512 109158126837cce3227041363b4f059e75d1032a019572dcaac7edededa43a235895528d46251e6aa57ccd4ca17e08ce4d72f07dc81a188e33d83b1600173a0a

C:\Users\Admin\AppData\Local\Temp\eUsq.exe

MD5 d09a2825fa8e7aa1ba836dfc300d5857
SHA1 978b936e118ce951355797e49203428a1536da35
SHA256 a6ec35a1c07346be9ef906ad2a87fdf041894aa6d824237ba004b9023442e408
SHA512 9a388bf1e7b6697fe8836e3b1662c5217198cb74626006fec5a0804be8da037f0acc769cf319d7ad9628b86075f32cfe4404dc22664203a6c0edce3c302b7ac2

C:\Users\Admin\AppData\Local\Temp\IccC.exe

MD5 8bd67bfc5e2b961e107c4c49938c431c
SHA1 438ccb5e6e76579c6970aac447a40296b899386d
SHA256 a41d47a620d922e8ea7a50b24540bf4ff242ef3228c653d951bf3e2fbeae8f55
SHA512 407e272b934dbfb3b10f0b6b7ad7d7342ba96733dced6a1803960819963c82050b26ff9cf5314befe94b205bb3e8aba5d5952d3c2e6fb2afadfbcbc77bfbc8bf

C:\Users\Admin\AppData\Local\Temp\kQwu.exe

MD5 e387b0f98d6629949d48e80654d7cfbc
SHA1 05ec85b86698455b64578abe273386ba85d01c02
SHA256 83111ead549e475efc4c15bbc2596d165766d9485dedb1d8a1cf2db340227d51
SHA512 c6ecfb91ae79773bea04797d593f4b36a84cc901624dab57dcf1173e85daba8b715ee711aa2e9ba072a3e7fe2a9093e441850dd159c808bb718ebb30662ca3a8

C:\Users\Admin\AppData\Local\Temp\sAMU.exe

MD5 1c779f16bee06a3f5d6a06ee501fd18f
SHA1 cc72402801628ed5369b43937f4bf61be9611cfe
SHA256 86af0691ed7e6ecb08a3ddd625fa5f34896e19354c0474851c63c6204ae709a3
SHA512 be7f352b4b9ec7c1a6c955f10a324da23e4614342e4a5c942d79b559dac6ab742a4222674b22a27a847a6f73434bed6b9e62375a143a6d48861d8f963a87fdb4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

MD5 491f6f422a36e2e3e555089c847a66b9
SHA1 598711a81c90807f097ca6d8a99e6767af3df935
SHA256 ad8a7ae6987ac9c851ec233179f1b1c2d07279fd5777dc52d65fcfaf398e5a7d
SHA512 9226bde5c8f55481621c1aa16e5e401d2d990a72fe314a621b82d218d4ff3f4721f110dcabf7fe655820ca5f6249e5c19273fe4a490547d71be1d848132e5e56

C:\Users\Admin\AppData\Local\Temp\wAko.exe

MD5 83438af03121a413bc70c34c952d97f3
SHA1 af0600ea9d31670d6d483911b8c0802f2d78f096
SHA256 8fd69dc00a7fc026841c53d279f08499025d694f8e6c42036e814ab3be5b7cb2
SHA512 390d79d61ad8eecd51adce2435fa7e0f670128b4920f287ae745cf002dfe08da03b7b64c89ea6757bf471bbee138264c05c3d4be08494246de3834c61c244c19

C:\Users\Admin\AppData\Local\Temp\oYgG.exe

MD5 ac4bd900e968f618f3e8fbcaefa3fed1
SHA1 c1d4470f72b9d39fcd7048ae3e6d04d2e14971d0
SHA256 250779f3b8a23951e0117f74a1bbd8860c8b09c01b857c3fc5cc841d082cb65c
SHA512 23b99a039bc39ca868874e98e7fd9959364230c969289b844dbba75b2aaa1fda6f043bb5ac29dedecd80d43f44f2b498a8341de1f991400761537582faaaaf6f

C:\Users\Admin\AppData\Local\Temp\GAgQ.exe

MD5 95d2fb2b48c6218a12ceaedc061a28b6
SHA1 0503009a78790807cd597071f6d7337133b6c0f6
SHA256 fa24bfe219d804fd9db73a405840fb176eadb952f3b61e9ebbf85a019161303e
SHA512 91225507e9c725552f6bc5645bf91d3bd0dddfeee1f93c2b239de9945ddce5caea9388b008d7597c777af816c59a2a22ab11ac49e3f43caaf5468b21791d730b

C:\Users\Admin\AppData\Local\Temp\MsMi.exe

MD5 4eb52c2cd3ddaae466b215251cb5b8de
SHA1 06bb272fbf524816afacda515c7db0e774480e36
SHA256 85d7c704ad3ff9dbf8b5d3a181858cfd2b97c28de575fb7ca18be21d6e7c1c9d
SHA512 81dfcb2519f5d18e0be0c7e7559368de462f6803385c694453508d1e61c7bbb91abeeb8802bd8a2e5b5017a164139835be3f5bd85c3930b1e6b566b0ec8ce5b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 2a809f1ea3a3945fa05bb4ce9cfd9918
SHA1 668f125e7a58d542f710c92ba7a41fe5536e4178
SHA256 8b7eee092da9818eaed830443f74402d8fd0e2c8641798dfb0de999d1c45b81b
SHA512 647563576cd3902332c318a2bac0887760d732c9360bdb75625b1cfc888a593a988a64a0d4e4f528e0d4b0d046d2dd2b9389c3662a2f49f6241d7f435d6b97c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 7d58c89a1a8b62bc09fb9196d0ead50a
SHA1 adeeafbd9ef2ff74da8bc5ed506d631309939dc7
SHA256 5cdcb3ee8c72c402f3db189d11857f7affae769ef67fcbfb553ca1fa3d16fac3
SHA512 ccfedcf74eba926eb0e6fc62cd1a0be986f5d0100285e85b9c0e15ec4a9cbe10f88fb381f7d4236827b32af3b4ca39e3a973e49cde88d183be3e721a3570da91

C:\Users\Admin\AppData\Local\Temp\WcoQ.exe

MD5 606a83a82a2df379df57b1b5b62d3263
SHA1 f83a3490a9e24b14c5b5674a1cea6a4eee06537e
SHA256 1b433770d68b4077f674d2e6335a099f7d0f641fa7c8d3dcfa0f940670ecc783
SHA512 d26b8688d69d3771ffee263d1fd3871c3f6011e703f539955a6c5e25500675eb0c7c198fee4741f2ae846bb5e38fa9855dc185995d00ed3c6f126eb9dac7c3c8

C:\Users\Admin\AppData\Local\Temp\EYky.exe

MD5 473899eafd7603fab256031092016905
SHA1 41ee95de5cf96f0620fbe3840e4a9e013c5efaa5
SHA256 c66bd8c122354b2ccad67fad16e80f7c30ef43abeab394ecec8f5a0c79aa51d3
SHA512 ec14cb6e66cd00e28ddff0442339a240c1b080f50e423253ef02baa80dec8e8ddd40ee505426bd12ab211f05a33a5ec325bf0d2ec77e616ace83ccec8bbca2c2

C:\Users\Admin\AppData\Local\Temp\UQUo.exe

MD5 cf9fa878f283bf5fa5e884968ac3643a
SHA1 70300233705be650ca7163ee90ac15d51a10f5ad
SHA256 23d49989bb2b9477e4503fe56c6cdad914e7c4447d45c6f814638f907a5aef11
SHA512 0613992763f6677cf63eef4cc87891b899ec37e7d1063ac8319d0368c7c326f3aebae76182be867d4de06824d72216f843d8822569a07c6ecc4040ffc67fce11

C:\Users\Admin\AppData\Local\Temp\OQcq.exe

MD5 a957f913a7b4d257d171f6d67d00e1f9
SHA1 466a967f018d240a9b37e5944e7a8da0b780c01a
SHA256 5429fd7470436e1ec0625fb1e239ce00dbc64cc61041f6fad3d6a423ede78ffa
SHA512 664622cab2c63dce2240f77f6bfa451dde4861ff7bbab09da6171b15f49af7d171f5ed9d50bd51c0f7ef098f1c5b725ee656e2844316fdab41c93c59dc7c444a

C:\Users\Admin\AppData\Local\Temp\qkAG.exe

MD5 f87dbc594c5525da93071ca1dcc49bf0
SHA1 53b97bc7c54b1dda796058b5210dc3db6c90b808
SHA256 3e4fef1f781cec08b7173a3ea279b924676cc5ae5dc1321c374d0648159da493
SHA512 74eba9f278cd3e9925ead637db71b5cd425c3ae90c5fc07c6962028cb5d88543605a110fbd9b9520282540b3971d7af49e46d9e12e8ad1df62aa72b7cf27370e

C:\Users\Admin\AppData\Local\Temp\EYAc.exe

MD5 c865f3575bc3cd1ed7b34ce2e5b21831
SHA1 b6a80337f71a836a9dc0af6c9e62deb1378e616c
SHA256 25c3f033d5990f9af985786c9bcd71e70d13de0af8a0ecad67cc9a348fc74945
SHA512 4b60e871d86147df6d9084b413678ef3ecb3190fa3aeebc91150dd3de70500ec6523d58f6354455c20de3b9dfbbdf47c93bfa74dd1d28d2ee132b28d5b3ed5c5

C:\Users\Admin\AppData\Local\Temp\ggUc.exe

MD5 6ef6d7615e11fe6da5d5a3b59955b787
SHA1 c307440b19ba5d4e1016de05e33c36b937ca5e54
SHA256 a756efbe74d353aebbfeaa579714b67ec851eefc83e8afcc3637011bc898312a
SHA512 986a55fb2be2f6bac25bf980c8127c854d8b5a82369ec7921310ea30abd020f883634a6a08b1d5ef8600224b5a884db70969ea89694b71dc4e0f6a32ab600f16

C:\Users\Admin\AppData\Local\Temp\qEUu.exe

MD5 7a5271d3928ae2ad8d5a4dd30d6f6e2f
SHA1 3727de205d39e074aaae5cb54c1f5875e35fd146
SHA256 338191fe0564b80275397aa496e1deae6425ac67b70f7f4b8b38dca027f7b4fd
SHA512 806be9b2205a6e7f98533906bf1c60fe0aa888fcb97584bea486c5bce674b5fae62727d346aedbc3669c248778e345a8f33f2bee46fb05c4155f21cbcfa29064

C:\Users\Admin\AppData\Local\Temp\usQO.exe

MD5 8ff3a45a790739503494b1304895e1c5
SHA1 6803494e13b5aa53225b81a611b992672922ed4f
SHA256 968bb78e61e510a25535bf890129ecde412f0d511d9e2ec954bbdc860f885b14
SHA512 901a4111a31551f309fc7dd11ebd8ac5f412f4d8cbe1d078268679c306face054577e5b1ef413f7a613c416e9ecf348a1b14e9f323a7c6e97dcca31ec8f44d1d

C:\Users\Admin\AppData\Local\Temp\mowI.exe

MD5 2cf68cef717e449c611acaafbb8392d3
SHA1 b9ab6dac060f30a61a3c33c3007ba83326159665
SHA256 e519a614fcec068fbe963d1a7f270b200b78cf1ca9e78f6d23f293a823f722ff
SHA512 5cae89cac047a3fd872048b322d7e2fa5c19ace3473a9e8ad2374efd5cd9a6944cda5c3ef91fba76b3bc2f412ebf00637c253d189d61b6ccb938a5331ac4770d

C:\Users\Admin\AppData\Local\Temp\owgg.exe

MD5 edb232c6e54ddc6e961b5d6b28a2e6d6
SHA1 d826b91f0bbc8ebbce82233dabff72b7dc8bddbb
SHA256 c55c228be822b2f4ec43cdb7528d8dc82015160bf65dce1828194a3eca8557d2
SHA512 1f1c84d45ed0895b40254caa6c7a71081068f50d783f4837aa7b5f0eebd954cce770afbf0f724f2d440a0490ef171e3eba7990389e5851eaa6dcde9a4f240d3f

C:\Users\Admin\AppData\Local\Temp\ScUu.exe

MD5 ae065a3b62d8e9d6f528328b73956557
SHA1 bd75ea9953b585be5e7bfc66bb42f690c2849fac
SHA256 fd638bf353bebdfdaba84c36d5a0ebbd39d406b96539baccf9d5ba61834b2251
SHA512 5cac4c35d7eb473812697c45d32209dbbe2bd3b2379c47951b3217c4b1add8064012231e574d0093281ea9ba01a5e4cc954da96b74f039fed14191f2b7af1fc0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\128.png.exe

MD5 eb5831c1084c9b60102ce2f83f33b7f8
SHA1 ffd57d38149a62f8a474983b8e049aae4da9abe9
SHA256 658291a6511403c1e9eeed28bb45b03e730659f28fd771049991bd490ac1d7fa
SHA512 3e5a752d98a5ee1c8b9591dc32fc26cc1d7477e48dca6898404002943a3dcedb4d4f19695d2f46e45839d6a7b9cbac8a331432464b03d7f63b12127f5fd0dcca

C:\Users\Admin\AppData\Local\Temp\kkoC.exe

MD5 e5f32e36b4abde7b2da6ec355b5ef51c
SHA1 d74f59f758c2012241d365c8ee8a19bcfd55c507
SHA256 5004b5a5c0cf3fa6f47785040f90842c1b5c942c70bf3056946f458a708fcb95
SHA512 60dbd8ca021fce6aa8778e7cb2c09ef7481f487ebcab3ad424d16e6dcecc889f4883acc2e438e9a3eee3da4edff8b2411e78afb39435061819c2a3040fe6a414

C:\Users\Admin\AppData\Local\Temp\ogok.exe

MD5 c99379eff59b959b25f3470a7459f6c2
SHA1 32a749db290c5ce2479c1a495d5c3f0c86280ce8
SHA256 024b70a4cf0570fa4a127b7187e11264aa6da7841bef4f403825c01c43277de2
SHA512 f72a58c9dd9292510530b5f2e097c7e889a8380c8bb5548fcd8dea98765557bf280e461cd81247f69d1d2df50c2cd3f2c47cd97d2247a7813ca5acb0e358e098

C:\Users\Admin\AppData\Local\Temp\kYYE.exe

MD5 36e266dc2b977d236ceb6f2211584af6
SHA1 11bb5a41ea2426a19910ce656d325563e9238550
SHA256 30cc4bc490f65dc7dd455bf1202049d25328079c272070f581f88d8253b10549
SHA512 67e69bd864ad2475deac2d4f75f73dddd50f9d0af69d6abeafc1fe8c54c935c240c9be39c1cfb7d9740e5f3893e6e824ff6e449375ec6abd30f0483d9a2ffad4

C:\Users\Admin\AppData\Local\Temp\QcIW.exe

MD5 07473344183912867c3571a19ebae023
SHA1 3cb5f70cb8ecd5ee384c481dae0f3a8751165dc8
SHA256 add9a3021f97e940eee85d432f74e1ec530e0a30a8b49ac32ac212da04be1b6c
SHA512 10a1ba5ff71883985b7bc35bd8653e9e8fe14c784d8ede76d5d05b1ba7886b3717ef16ff431d18cfb0d16454046013f8c6507e405a45c5eaca8f94610cbb0ad3

C:\Users\Admin\AppData\Local\Temp\eUgK.exe

MD5 b315bcaa93683f3a811d63a7ffcea395
SHA1 716576fc4c01136f3fd3aaead61e64f8b480738c
SHA256 31e120565eb70330e8e76497c89184a3098ce3125b74bb798931465373dcc5f3
SHA512 fc06682b4b512fe623eb13aea8b56a84474d5a6dfd75a57a060f61fa36898986850f59902d28b00dc40eff2f79190a369fe30ac2e2398ddd111163af43aff515

C:\Users\Admin\AppData\Local\Temp\qsYc.exe

MD5 39a9294a2ef320e5180b4f97f1c2d98f
SHA1 56d61b6bd231cbaaf122a2b87daa5d82f0bfc662
SHA256 eb57ecdc315b8cd36f8e218fb209fbbe897db3855496955bc28c483f4cfee4d8
SHA512 01e53faf977e04eae9b95c7f6d784f7efce3308043a53f67e1fb34152c3d5a6a20492360a24adf8cc67d19fb784ced32cb17e915f01044284b994e873ef6dc9e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 ee852d32d6848415ccfcdc4ce6f6d153
SHA1 fdda3067d1e3619b0902b775a25db12a0bfdea6f
SHA256 ebaca89bcbfeaba6f5a5f10a62f89018fadcb66b40aa83035d937d26ea43e7c2
SHA512 9b9add7a99fb0d7ba11c067e9e0c72db7931456c47042e9ab00672a0377864d78606528372904b97c8cdf69ee2d2e8331509b01b4a0d444c0c6e2b8c3302b427

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 64f285c74adcd95e6476cfbe8aa9f639
SHA1 63a976ce711bc685d692e546ca80a4a52bebe3d0
SHA256 9089650389733de20cd4a859bebcfa65d6e5696cf56376e028a2b79a3769246d
SHA512 356bfa5ab17ac121050b684214e1e2d5dd00bd8613466d89a3e23e18d1288dc8587c9553eaaf815650253d45d13722439d858a9be0bdf44d2292ae2fb9df6917

C:\Users\Admin\AppData\Local\Temp\wgMU.exe

MD5 6e1ce823bd67b773ce343bb46470aea4
SHA1 49cf96ec091ff478875bb146f0d65d0ef17bb0a4
SHA256 6c64168cedfd47e136781808e5740c607af45c3d3fed318b5f1cb4f8ede70416
SHA512 f2be7afc234703eaed11ccf25965f243da5ef680ba1f53ff936c3a16173a485a36376cee9b1509e485addd5b9d2942f6e74e8b32c52f37920a90a702d935734d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 ebab27e1964ac8bd83bfaac53c68f9af
SHA1 ce1f33ff2dee4a9b861199e9c39d15c4c3485df7
SHA256 913e399f66cd2a7213b168d507a42a9586f2b769b689aa782946cc32f6fdf6f4
SHA512 0205cf49c90afccecd40dacfb017dfdd75f4fb62b456ae7b3b5d1b06976c12861d8a76a73659768dfe506a7bba8b6ff63c7baa1da9f02296bb5f4325f738b233

C:\Users\Admin\AppData\Local\Temp\qcQm.exe

MD5 49840a56ba95ef460db7ef16b78786a4
SHA1 8355a7cb506aef4c85920fe36850081517eee15c
SHA256 7abd2fbc06b28491927d78a6f0ebff8f6e002f2445684607182354892beb2574
SHA512 0ab146a913511e79837af02d5969abb79bba8692405c17bda7a544c11448be6939aff0e8230b22fcef5b3f0eb035d349a93855eb8794c7dbba234ebab99c6dd4

C:\Users\Admin\AppData\Local\Temp\CUoi.exe

MD5 83c03737d8e54efc75769fc926d56597
SHA1 542493f7fba19591058d30697e20a416739359b3
SHA256 1a13a822b7f722d868130e72569fddf2102cae8964faf7300eb892824e2dca01
SHA512 3eb3afcc3e9c900b87d6ab89f2a4c90b79b38e02d60ea96ede0ca97f7551783fe35017d9207f3ac90d4d58cd6d6f17a9a44af699520cef1373e75320b7680557

C:\Users\Admin\AppData\Local\Temp\iAgC.exe

MD5 7c451d293c37e0139f9f800129b8303d
SHA1 fe2b1419c16151385dc4bc859eade9d201433d6d
SHA256 3f9b43ede3e3f8146d04d90ccb151f34310df20f664ae37829d44e61d323c787
SHA512 8a866575f419c9c6819cfd1e318e9fe1b8275e513d0b4262b39293459f0588094c20d029cd62f2486d218ce9a3bb2e1976c198314ce00f64c4fef60bf2e6c1d0

C:\Users\Admin\AppData\Local\Temp\kEUg.exe

MD5 9cf45c964be580e252514ce5df52c44b
SHA1 2c3ca1aade7793e872fc217f40b8d89d6b24b57a
SHA256 8b26c884f401da3c71a607026a55bcbb903b0c8b76778fb1718f92c40e0fc85e
SHA512 93d896158d3ebb648789d26cd7c86ab411ff70513a34dd399210373c2d0ad2ecc8e68e9c88fa63993c5d8d636d266e201c5e6da78a256362897d8f50bedc2b6f

C:\Users\Admin\AppData\Local\Temp\qwUo.exe

MD5 378df852d4cc5f418363a7e01bbcf309
SHA1 3075ddae1578d959566e9620167544f65652e549
SHA256 5bd9e7fb9307841c35e802caeb7db18816871efd56f9151da0d564f276ad0b5f
SHA512 a482cf77c1be54a6fd45d4353af2921e0125dc0992face86b62cd7491a89990acc19974628b0718024241d8c7ebabee2017d6ba06d0a240f41f610457585c76b

C:\Users\Admin\AppData\Local\Temp\OksK.exe

MD5 791e1d046beaf3002fed61936ac6d039
SHA1 c2e30b3e4012d01cd05dd3cdf4fefbcd40fdc415
SHA256 7a3dde861c3f91f64717d47538ab23d1ba3554cae7da687d45bf418613680c8c
SHA512 7581f94538e2b73acaf0cdb168981575a9cf7e1a4f9914267e5d1be7fa48fa51e7e266fa8226f2b64452cb2e47c4b5257085e025ad03e08e93876ce5530abb68

C:\Users\Admin\AppData\Local\Temp\UIcQ.exe

MD5 ac994c143ced9d9567d9d32874c5ce62
SHA1 24eeae63152939ef6e4745ed7e6d3ab374dff34d
SHA256 6323e58a3b4b3f001e2b42e7aac508918d9239d701cb281945c16db812b941a5
SHA512 2431485d2c120ad88538ad1990fae96f8b464f8dfde92c58608cfda1638a21fbb603551142868e08abcc6338f2fad89259001b7925860a8277e889e4086506ab

C:\Users\Admin\AppData\Local\Temp\kgQg.exe

MD5 e546c269526454673f9aff23a15112e0
SHA1 eb9382641cdf5bc4329ced3fe08afb754d413743
SHA256 86b51ec854380fa86da638a7e09121e19f5be0a0574a16b44a571fa0e67cd5b4
SHA512 c3407b9d73102fe90ce98bdc6a0c55e290db0710a982afeac572ceed215991d5bccbfec3197c03df527ca3c5316708bbf408be478daded30f6aea9a703ca14ac

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 21c89f36be7f5a05b3382cbd2fe717fd
SHA1 c9b87360cf5501cb9b2a386513668fd44cf4a5a3
SHA256 d5335432166bcca690fa3f255c1cf90140b74457c5ee35c1e2da62bd50e51b85
SHA512 1625c00be6a6bf7c839d3be9df53d95082c5d2c1432de679422de20702cd0195a62de3077eab646332f5c3a783450b0de3ac2997b84a0f8641edbec2820f92e9

C:\Users\Admin\AppData\Local\Temp\QIgY.exe

MD5 f207474243c9e3fd64699f3eb1aeffb1
SHA1 c686dbe26497cc9b2968e00de8824045ed10efce
SHA256 8a453adab5f50774937da58343a2023e4e79975fc9c2b64eff37cc4b568d431d
SHA512 6e80ce9924c7d051937f44f3a91b4ad684afcd300a0538bef0b1fbdd1c569a0ddc2168a484acdb9f8eeefd1d287b6f0a5b9cc87e7f671e540b18a826a2f62f14

C:\Users\Admin\AppData\Local\Temp\aoYE.exe

MD5 5f48c4b7b49438408eeba2aad44e5a03
SHA1 d927a2b2e9428a8cc6bdf892ae2a2c0063cdeec6
SHA256 34c428c650f7573aceebb4ea432070091bc61faf1aadb2f7817a830b47e172f9
SHA512 61986ab7e3e2eb421f2feec97e85ce71cb98bb712817aa71135ec50cc4575a92e0d1f53fccffdf9e33f61201acccfae1a07354b25b4548005d66ad130de31a3f

C:\Users\Admin\AppData\Local\Temp\uosM.exe

MD5 b8346ae9edc1dd6fd7e5689406b3c30e
SHA1 39140db0a9400814dfb0a0e54341ccc1abc06664
SHA256 d452515bb8cd34711a77e202ac655eeadcb64b509495c0e59cf4d7ff4e663493
SHA512 317472f59a63ded238617ec483fa24a0c1fe2957fd55f424c860f5916828fda4b9f6ff60df327dc17f16ef4d255d66ffd6afdec86a9099a4f238a74a423e3225

C:\Users\Admin\AppData\Local\Temp\sEwK.exe

MD5 9e7d629329b1726645fc615f8ce2feb8
SHA1 0ca01aa5e9c3978c7b6a8594809bae89590e5e14
SHA256 9904441f501f3543cb01b6274fb0573082e53eef632cbe6d4b3b149108f765a4
SHA512 cab9707118bda4b9c504060a1e548c636dcd52ebc6577600d06e17a2fb080f0d1077471c05c957f98724ec679601f16af955d5764b15bfe9ebd00afabe7d78d2

C:\Users\Admin\AppData\Local\Temp\Mgsi.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 29a58529ae52bc3ecc2c26b1520171ed
SHA1 356936375cfad7d037408da0a9e1175280234f28
SHA256 98e990f38f97f4a4327ecb00da6fd1dc63fcfe2e0c3e10926d5e0bd0c9642334
SHA512 8afdb4a74b3402379d9ccb29e4d291c7011fe27ab1b600aa0bc6fa6734cfc4541fbc09024462998cb00b7e216b3843826c4633fd10447cbb81f956625331173f

C:\Users\Admin\AppData\Local\Temp\kgUI.exe

MD5 1ce5213bd99fa2122abcddce8a01124d
SHA1 81829d61525de5dfd9db75eec46f7d1f8a5ce9f4
SHA256 491ec4dc8859062f0b48e9ec0daf6284082252369f5d1c1db31807324fe41343
SHA512 c78d7d22f387751b6311fa39e97e066f593a7193a1339cbb8e4cba5ccaa2c6f6ced3210f394225629b1da08022d1d8c70eeb573f24d854ad97128fd67c32a32d

C:\Users\Admin\AppData\Local\Temp\CUUc.exe

MD5 ee9cd2eb96ec8a28d9ab97178058b15a
SHA1 74833f043d8c7bee88edf736abe2cfe42c6e75b2
SHA256 31fb480791081c671b2bfa5081243d37fc72a4fc790c1460253030750789dc69
SHA512 afebfb057df982f37cb9d063d73e92ea1dd221bf8cc4036a308470cc39fa4c7f54ff682d404537b7aa4ecfbaeb3e0650da006c23690785cafe5e68caf5ef7202

C:\Users\Admin\AppData\Local\Temp\MUQO.exe

MD5 c4261048adadd8f425ff172475c274e1
SHA1 f89aeb2f468c7f7c30ad0424a8c50a07c384606e
SHA256 c686a5599d7efc26de7893890307bfa2b40ca90d227b8b9e67f277f02959d8ab
SHA512 b1c9321e49d3c64ca3c1f5f3c9b4b98dd957bcbaae353b6656a4856ca38b22e2c6482488f18f35008c78b79211203feb8b24c1a1dcc3c7aaff05204840b3d6c9

C:\Users\Admin\AppData\Local\Temp\Mgca.exe

MD5 b0c001febdaeb22355b1fc0b3d31184e
SHA1 e9b457b337c35b8a3af84555e1a0d3032e1dcce5
SHA256 21de0bba4f42da76528fb9a9be1569ad33bc8b2fff6e352d982e1f25fe45739f
SHA512 c7c2ca244b8927ee70e360961eda5277c27d6b10391951f269e95f4e6881d74322acf07d3dcb7dcde82201e194af74321b9d213f6820f5850c25e07237729e79

C:\Users\Admin\AppData\Local\Temp\sgAe.exe

MD5 08a85a7cbb623d040386edde2ca6c87f
SHA1 077f6dd544ab9bf2a2f9eb5839779c82251bb5f8
SHA256 446587cbce4cbc78d02069521ae94515a44a1b7f66b3930ffb604e2387eb50d7
SHA512 228cbbc2cf11f8da2a4f1bc991f916aa02b7e914742772ba65d0de386828d5b1d9f1e4827a64373b6cfb70ba8d782a1f79ecabdf6c35d0d898df15cacaf5258d

C:\Users\Admin\AppData\Local\Temp\QcUC.exe

MD5 47c6b9ed6f4c00dfabea2920d62e3e05
SHA1 826179fe6b33bdb7642e1cc73790284dcb677a49
SHA256 d042a1aef1fd4e4337f6c2142b73e5a5274ca035e88ddb5618ab8b50a0e67546
SHA512 9f8cfdd529c035fe3d605f8a4fa54e5e793da5120bd2a810c26c9672132817692b1f0c7fb822c594e68bed609f91cf82244fb2252476d87ed28e2d14ecd3ba6a

C:\Users\Admin\AppData\Local\Temp\KscO.exe

MD5 993f7d73f42fac95e5e19548fce6a8c2
SHA1 4dfaa076559b39c2a9ac399e608cc2fb438deec9
SHA256 c08c554882ad1a3ef7ef2852950adb807a4922f9c2c5ec38d05c62eb34bba3e5
SHA512 8bd95a69638107cbddb36b3e68ac37de6b7c699d6487fa7c8e18fedbed872762141cddb6f67a00687eae95f2dd42db4f27620efb35337bea9e44ba3edf48512c

C:\Users\Admin\AppData\Local\Temp\mAIi.exe

MD5 088769ef013b8fa21faf499447d24563
SHA1 cb1c867c977c07f3eb4eedca012016d2809020b3
SHA256 a692c374084f6981acf5c542ae98003c8f0081d89f77082a364314fd64100b47
SHA512 780025c99e60c0cf859865ea970f9ec996a406f7c01bd73cd01c440d20a225d0d7d6cde7d1002acc6a1fecac0aa91c3090a23092a991b39ef269faae1963e350

C:\Users\Admin\AppData\Local\Temp\uQse.exe

MD5 97c676359f12d5dd9837495784f248b5
SHA1 1e1c00e59d2925ad1e41c644c3e4fe6aa17fcfa1
SHA256 2631754713da7c6ff26bd01fedaad687f57a3f260a1c194139ae88b210e6a5c9
SHA512 56d827ce470205a899575da131fe322533fddde501c80f9a37874a60bfcf344e01b7525f4a0ae7b671d68d783b58270fae79ef62154752a09fd53daea3fb8d76

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 4d9a493a6bd31de4030ae901d034bebe
SHA1 1dd30c6399b2d86e48c82e38128b8cb3c7eb57b5
SHA256 4772cd39cbf373a1a32189e93691ad9b045018a3040492adbfd03b0fd2fd07b1
SHA512 9a56032a3d4b716e99d5fbcdf0a3683a4618ef84c0fbc5608a83aae6a3c7afae16493555ccdd93a9c7b58859558c130a922ba51411d97d5e882a9a2b10dc9a65

C:\Users\Admin\AppData\Local\Temp\OYEe.exe

MD5 d23062f40aca0abadb0d5defe56fb436
SHA1 f05624ca7277e863f76652050d6af7a21a44fa5d
SHA256 2dcefa0542c1d5c0fa032515d0fded4e3d3e723a6d95cbfb2245f170f8024102
SHA512 48160fc7e9ddfe4e4bcbc7ad9e300d1c1fc1347621217fcd528413851a1cefb5a635dd1a318486a3eca54af0fec3f46134298b2494797cb891fefb1a027211ee

C:\Users\Admin\AppData\Local\Temp\owIy.exe

MD5 9c42247693af1b3ea64a4a013775f053
SHA1 8726be1505afc46e37759e0f7540dff41900e095
SHA256 477b054475c75bd83b29114a99d33ba1483ddc39538c977d629b74da995482d3
SHA512 50a838ba74ad76e4d07b41dbb43f51c9ad93c26eb6e897fb33739d0c4689df79ddc60be36a352b1c4de984f095c40e0d0babff188957f6c8098f250e6e34542f

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 946801d8984b961c99e42e83818eb3c2
SHA1 8b54899300193526b6e8edd87309c723f4e0dc85
SHA256 8f9bb577b473f3cd9f524bcb50c185ff9dbe11cf77b0c71b83e14c89fea89410
SHA512 6e416f68649058501469023e9ec13175b3cb2e6833b04aa416f31128f4533ca14795ececaede83e17708a56c723b7456f23755a9f6d2f6e067baddd93de18594

C:\Users\Admin\AppData\Local\Temp\WgoS.exe

MD5 9307063f53f54cc278736a4f5cff6c76
SHA1 459f33fb0b728826ce23cff1ae8f910efe42c2aa
SHA256 499247acab13772d019afd10182a91d6ef89e8e55cbc09075153198d3e63b611
SHA512 3837974ebaa8fcedc3656100e9680e558177fc91288838c1b47cb76bcf8212d59f113b3cbc1d498dab5d272c966ec8312bb15b6d526d9d5e945070fe2fcc054a

C:\Users\Admin\AppData\Local\Temp\Gsgw.exe

MD5 b0c601811de904080e15283014a1e189
SHA1 2573ebda4fd5682f282fa2354ed1f2fe29d15e0d
SHA256 b4a37676523afb6185aae9d67684539acefa744ec95e5583c14154c0ac5d97c1
SHA512 cda0bd3021378f40662d4fb61c89a8cd2216d5adc2fc93a092f99f1eaca4fb2879ea35665231ada7a79670c6a431b128097bf9ca6030c7f0ac64f390b055008a

C:\Users\Admin\AppData\Local\Temp\cMgW.exe

MD5 2b92bc8bf8df6dce883928803514c29b
SHA1 8d881bdcda5c935c1ef387f54b75f9496b56e634
SHA256 b3293cb7507967c504aa639e0e2c65ae7e3ed3d242135b85a6940fe94a8fd071
SHA512 2d9a2c8563a3117b223b8119d3e35f27f4072967cbbe39dc70d0ee1b805dc1d2b1b0b1156a6ef38761d340ab5cc2e6e53de5b5d853f92cf4986fd77567c423c0

C:\Users\Admin\AppData\Local\Temp\QoEM.exe

MD5 eea296668cd8ff6b9aa984392ac29199
SHA1 e656ce937ddf9ca370c51bdf3379d7efae7e1a04
SHA256 758e48d1952ad61aa2fdb6466bf4b145b81a512865b2e28fea09a2eedef6562e
SHA512 25ec527491d8944ee299843afbd66b7ba8ac19b161419929c7b9c9e035d18c237ea635554f27cbcf3741d70aad69ba965bbdbbafa6bed66e3868682390e6b180

C:\Users\Admin\AppData\Local\Temp\MssK.exe

MD5 89b2d5123719f785967c0bd0112c3fcb
SHA1 bb82e908fa0ba85a10ab9dd11296075e537a8355
SHA256 1d01501499305ac8e96b7b0852212553ca81c00ea77f3991c3c53a927e588e66
SHA512 82721b8cb780835e273edfafbeb0514fd79b4d94d1dbcfddae6c701ad9361dd6ca68ea0d2298dcb6da867bc6b950c63425ced046fc435448e0425bd25ceabf0b

C:\Users\Admin\AppData\Local\Temp\Yowe.exe

MD5 1dc4fd170c00937c0354ecd2c5700a68
SHA1 264bf473ea34dec7988543c4cf59826eb464e312
SHA256 dd64c620cb43b96e47566e39e0454d1229564413e98328c133ed4fba0457e3bd
SHA512 a19a44ed160d32f98e0a5b51b4ed62481d44e72fa2850d9ac90fad1597524820be3e1ad5c9dfcc0f8f176abed0813a18819be854a5d853eda0156334a2252660

C:\Users\Admin\AppData\Local\Temp\McEU.exe

MD5 72e7653f3ab00a41067ace40646a0428
SHA1 6f21b2e186a75b7ae1a33ee4bcf1dae9c3da922a
SHA256 6d7ad3817a74b30c0976b55abe19f82bd178e23f4d6117f904eda587813291c7
SHA512 05ff94deade078833e8c08e19cdd39352209f835a49198e978b17c426d42c24b3245e518c5b48709bde5f4248e9ebe90d2710a32b49356497e244fe63b80f9bd

C:\Users\Admin\AppData\Local\Temp\mAEO.exe

MD5 9551180f226932d8ad2c689d45768110
SHA1 56b2513e76d1afaf0e1a64b0ac564a54a5365112
SHA256 019def09e6f8fc2b22ec49e7f18bf1a82ff1ebfd89eb6ed8b7fd09e4ecd5d407
SHA512 69636660605d3a495cf628a7fb29669d916c0807601f5bc01eef53195251580ee43b38af2fe77ff7724ca8428739001f90345a20fbb505bfa454177cbc40e87f

C:\Users\Admin\AppData\Local\Temp\iEAI.exe

MD5 f5783f5fd7201084b840177bf99ec19a
SHA1 62b01ff82e0966d3d787ffdaa0dde1b45dc65a57
SHA256 7983c1d865a5129523a5086c9db6907f0805d58c0907c5c2c6ee7a63d95ffa2d
SHA512 12ad3dc5d102502ddbecc94cbc85302f28b544e97ad6a2ea1ef1233c7b0ffbda99b1bdb51a610b43095ff47432e542ccfd56fdc9e8d4a6c5c18b452e97a6c4d4

C:\Users\Admin\AppData\Local\Temp\IwEk.exe

MD5 851d633c315ac5ad6b34025c8ca1febd
SHA1 c2834288a439216857b58d6382a793f65c7b9b30
SHA256 43cf32a27c164de5519bb474a79409156b4a5eda90e06b29232030f14cfe6a74
SHA512 4bdb8b53e462aabf8f3d632664f39ea4c17a0f71d8a2df2c1c8928da4966b7ee87e9ee5710957a7c6f4926d694c89c1ebad5675f8aa66375520a069f91007401

C:\Users\Admin\AppData\Local\Temp\ykMC.exe

MD5 28bb1bbdb270dcda53218fdd9f12dc3f
SHA1 3af4ce7e46fe60d442c33b9fea8ff7902a9c36b0
SHA256 d0d484389540a2a1afd79c620668e4497e85d2807def7c3c0129ad640675f202
SHA512 5e5baff2ab13ee52bc600c66140ccafb45284aeb43ca9446f04645ca2cecf55acf301cf4de6d3e6263d505fd72d61fb2380db770007e7571546031da208a1897

C:\Users\Admin\AppData\Local\Temp\AUQo.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\sAcm.exe

MD5 700775b9a91df8882659670ec2aea83b
SHA1 13edbef0117a0cfa069e5c9717a36d82c699b18c
SHA256 dc4663c8d7aa6c09c54a473862380f6f51f5bec81e9ebfc78a3210502b682f29
SHA512 e21f397ff8643d02f6b12d17c27a614f62a0dbf3b10a2fb9fb62cf45e4a7a64cabe96ce7e5cb359e9c80c8b5cb8d0362c59066b72e2a6b32468d94d7d5b2021d

C:\Users\Admin\Downloads\ResizeRename.jpg.exe

MD5 7da3e8e647a1353171eeb611a3cf31fe
SHA1 31c1c89c386875f7005f9209ea85557c50b6383c
SHA256 b2f1672aa3d8c40252009837489efa247b2dbeaf942b05f74bb6bd7dc963ce57
SHA512 f68763eadc46a6755a1c405deacfc12b651682900e2f27a1545ced4848752785c769883a88bc3f4cde288cf4e3fb9f166d3b26fffddc4b9cf41059b8577f636f

C:\Users\Admin\AppData\Local\Temp\cQAy.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\oYEe.exe

MD5 dec4678066d9adcb0cc3b058979bffc2
SHA1 ebe86d218df2e8dfba269a8bccb5b28f648402f1
SHA256 5e4e91a17402720976103153b3967097c03f06ff75ca1ff1bab0ebcc5f348bd0
SHA512 73f5ad6b9e9e236af64a3a062a8759f9dd798abdf317a90d7f8af7d83baa418895f73097838c481339d8aa55dce3a354a53fb34a1fd4de5fa66903c1c519331e

C:\Users\Admin\AppData\Local\Temp\Akos.exe

MD5 dd894bee0f126649c5069afdab26a89b
SHA1 80d25c42c832833c1c491ddca2b27d3ee65e86ec
SHA256 7d5f73804da46a676b7169878308fa57856c05dbe3744d98471f2bb1c9c8c10e
SHA512 3aea921c62f9b6ae3e68726aa3407b9cbc169ce25b7674962d10f4cc84a858fc4cb09b8d19c8fee2e2ca1bc062d7e1938bd14a6ef1fe49bd7ac028bf4a138f78

C:\Users\Admin\AppData\Local\Temp\eIke.exe

MD5 436acbf8a641db2433b0182f653e68b9
SHA1 35c30ea06a19f9b9abc0b70bbc6776de9f88e3a1
SHA256 4f5be47ed0c007c4f12dc451d1a4dcbd060df61b6d2a70c9f09213b2ff7491fe
SHA512 2f30f74868ecd2d0b050e809525795593acd9cf91344b52b68bdf225dc895813da3a33096cf766abecf29be2cde737bffc214ff8c4e527b2edbf36fb05a5bef5

C:\Users\Admin\AppData\Local\Temp\UAUK.exe

MD5 1a042107ce19ba5d0665a3f4bfbceb80
SHA1 c1491b8dbd7e6b2e8d530f596bde5d83cd613d52
SHA256 a26b2782fc9396f09fd2d8669749f45d0c7e4a9ef34c942dd653deed73898851
SHA512 98b2d84474343040741a3b65ca13411a4b795bdeec2aebfee1d40c9454a27facbd9543f80bc12a12794ebd6edd89ddaca566655c332ba8cbaf21f2f1350c62f2

C:\Users\Admin\AppData\Local\Temp\oscY.exe

MD5 24646c317c5e43d8d5171c91cbab0c6c
SHA1 6283361621eb2d25e22b8ecf46eeed668cecbe14
SHA256 498857aac9876754f9c00ff4e031a806a80b564928955dcf20016be5fdfdeefc
SHA512 cdebea2d9648e2420eeecf17b42f0b04114b926e79c83e79792f5b171d05ac9c2d4587957c5ef5b96b6267de8d889465fc937362a1f99338143dd3a1901bbf4c

C:\Users\Admin\AppData\Local\Temp\yoQI.exe

MD5 0b378b702bdf49285560ecad157f680c
SHA1 2ebeefc6d3eb3bcd58a0950f447e8f7f1652de14
SHA256 2fed5efb707cb8eadcbe6892fbdce5af8e693b6b51464deb6c0bfd081c7660cd
SHA512 29c5325ded53453f3a14674dcc648b71b35120f6a8fd586c1b4c911a0bfd42852716f4c0b1bea09e653cb9a3829bc3e90099a256e7d9524206d6c646b1ea42ca

C:\Users\Admin\AppData\Local\Temp\sAMa.exe

MD5 c528e50dd7407e2cfe4fe4f27ee6e267
SHA1 7e7ac5dbb5167305a425a9fb553dfe6a5657b7b0
SHA256 baa0a426feb7fe2d85b6b976310b4d2d07c6a2cecabdd7e096ac3a62dbf082a6
SHA512 d140d76ac6775b0fe4202e5f4e9226fba746960c73991acda3f24e8c34fb30b919b0204d9049804d15d7515801c6567e7f51fd18c2785bb0816744a9d61bbeee

C:\Users\Admin\AppData\Local\Temp\swgc.exe

MD5 fbcaec5446783b9ac43d8fd7dc778e5e
SHA1 1f2c1a375e5ba452b9d00bd9c25005d2a8ab9c26
SHA256 42616a3c17d82c0de78b4548fcfd2162c08a4b15feb6ab74a2454af03ead5259
SHA512 329d032b75bf303685df3ba858c445e8861d477c53e5eacbdc607b9a5e1b2e465380231eb60b35990e981512668ca0ae473a520588128f1f33634fae74e48af5

C:\Users\Admin\AppData\Local\Temp\WwAc.exe

MD5 040ccceec9e58a399d4e736e656933e1
SHA1 7d246b072b8570d1a24391d2cdedf830c442df60
SHA256 10b8c0b1a48e4a40bded0bf8a6d1138c6d6cf97d8f7837e9900397c6db1a1b57
SHA512 e451fedfbfd14912375c67426ecbc851065117c4815f0d22e4e2d729f768e41664d0bd0a9ffe259b9a9be9aacd3ce505168463bf1f06ba972b7ec6bd6654dc93

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 7e54bda5e15ce9962ed36a4858254b96
SHA1 0648981e19c98dba44214289b68e516036bb3b89
SHA256 a86bb8ef553055983885b71e604b7d00406652a0103b598d04e0c34182de8d97
SHA512 3149edadd5159a2498ac299ece29a369d1ab359c8fc03b1d4f3f31e48f592e2489362f56a078bcfe41104eb3d13e66eb773d7a2184fd852739b11d5b18647c90

C:\ProgramData\CeIskIMw\jAYIAUgM.inf

MD5 01865e126065542e4b6896265ce4b685
SHA1 630ced2eee92c4d101e9883fc2e958da48a518eb
SHA256 c80345cb65ff18e3e597e8b56f727521b48fd75ecc194ffb43d35f9e90d31501
SHA512 e060a1cbcb0a57828d156a1e57acc210fc9ba6bdd26aa6b314e250c36d9315b946e2fedb5535430ddaaa2b2fc4296346facd26e65427093f4f4c275f51f6e5d2

C:\Users\Admin\FscEkYAI\GMUIkQQg.inf

MD5 49f2ddc06130870d74f50996ac1649b9
SHA1 4fb7c492ebf18b7b38d1550d7a1e2488f71ed2d0
SHA256 13ab9e60f92fe030efdb9d68171993e4043b868d0da7306bb76bd70a62f2ea71
SHA512 eac1c0d37d1e40ea6a9f5eda12e3d5fa4c1220fa0065d4becf1d47dc7ec145b433117d71bf618bae7eafd141b2507d04f426b98565771b0916e24a3bf5a4201e

C:\ProgramData\CeIskIMw\jAYIAUgM.inf

MD5 02f770a84ab6c98ed62f16ba8739842a
SHA1 998a04c5a949568d0fd73df006a84b9039835b79
SHA256 317733f1a75468143a4a7791ee7e0075244ad2ed62e7dba2eee7e03341063bb1
SHA512 24312130a21f3cf9e3e8b0d7a3818b89c0ab63f161c1687a4bb21b9bc57701101acc8b173581547b9868c0544fab368a5c857cdf96cfaefd1704f3e619919ef6

C:\Users\Admin\FscEkYAI\GMUIkQQg.inf

MD5 6cf0e5111de94cfe602e0f3f4571036b
SHA1 28530a1c3062db7527cfec504f3b79d07e41578f
SHA256 d4faf8450c95c2849b1d5becc102dc06f88add1a5fd43ecd92bfe824e0f068ff
SHA512 d2b24e095e2f6538eea5eb0055943505a4c0d0fd0fb79b7dc610f358fdf2c2b69b3c87c3361563565969d721701e5c3ce73a93c8f7edfd51f1bc07589ecab1ef

C:\Users\Admin\FscEkYAI\GMUIkQQg.inf

MD5 6138560c1684b55178c42a888c5cc6f9
SHA1 e7920f68793e37b52cb280d20a2fc3bc382261db
SHA256 bd0b941884f81bb0a05e81e20ad9eabf405835a1b56e3d054ba79fcb72ce3686
SHA512 e6211f5bcaed517d5e9210a1254b6c93c54eaae83ab5e40b9e825ef97b914290fe46f300dc429ff2b1bf485fcf509be3dbb00af6c68c936de5df35ea6a577452