Analysis Overview
SHA256
66e35a160c927741102a10e7944d213c4d70e294988ef3692f6d04528c752759
Threat Level: Known bad
The file 2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (88) files with added filename extension
Blocklisted process makes network request
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-18 13:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-18 13:08
Reported
2025-05-18 13:11
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
136s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (88) files with added filename extension
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\ProgramData\TaQscUUo\jgsIgoUk.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\ProgramData\TaQscUUo\jgsIgoUk.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zwIAYUgs.exe = "C:\\ProgramData\\rOMowAgg\\zwIAYUgs.exe" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mugokIQs.exe = "C:\\Users\\Admin\\RKIYAoAg\\mugokIQs.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jgsIgoUk.exe = "C:\\ProgramData\\TaQscUUo\\jgsIgoUk.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jgsIgoUk.exe = "C:\\ProgramData\\TaQscUUo\\jgsIgoUk.exe" | C:\ProgramData\TaQscUUo\jgsIgoUk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mugokIQs.exe = "C:\\Users\\Admin\\RKIYAoAg\\mugokIQs.exe" | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mugokIQs.exe = "C:\\Users\\Admin\\RKIYAoAg\\mugokIQs.exe" | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jgsIgoUk.exe = "C:\\ProgramData\\TaQscUUo\\jgsIgoUk.exe" | C:\ProgramData\TaQscUUo\jgsIgoUk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkcEQgQo.exe = "C:\\Users\\Admin\\NqwwgYAY\\kkcEQgQo.exe" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
| N/A | N/A | C:\Users\Admin\RKIYAoAg\mugokIQs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe"
C:\Users\Admin\RKIYAoAg\mugokIQs.exe
"C:\Users\Admin\RKIYAoAg\mugokIQs.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\RKIYAoAg\mugokIQs.exe
C:\ProgramData\TaQscUUo\jgsIgoUk.exe
"C:\ProgramData\TaQscUUo\jgsIgoUk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\TaQscUUo\jgsIgoUk.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMEMoMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Users\Admin\RKIYAoAg\mugokIQs.exe
C:\Users\Admin\RKIYAoAg\mugokIQs.exe
C:\ProgramData\TaQscUUo\jgsIgoUk.exe
C:\ProgramData\TaQscUUo\jgsIgoUk.exe
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSMEsgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqkckYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCkIwswY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcowoIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSEUMAoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEUYswgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmcQAYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsoswcsc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUAcsscU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAAokcMU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeswYYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIYkoYco.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKAAokkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSEAUgow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqcoQQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOQYkoYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKIUgEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYQQYYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQEAMoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juUYQksA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiMwQgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGQsQwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEwgwwok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWwgkcoo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMQwoooA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQcIEUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKEsYcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuUkYEMA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCMgUYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwgMokQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEcwkMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcYkEYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWsUQEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKQgwYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIQswAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pocAQwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqQkksUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twQgEkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaUoIgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUgIAYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoQQsMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGsIskMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMUMQgwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWocUYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsMAIkoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgwEMMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auUkUIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wucsscIw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkcIIwUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImsgEQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAgoIMsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoAEAYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGYEQcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAAsQwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwUUIQII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQgcIUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkYYAUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcQUMoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIcgwAog.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUwcMwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EokkMEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyAMAcMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUEcIwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMowogUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOEsgcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUEoIQcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teoEocIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiAEMYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmAwUoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEQsggYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAIQccsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeUMUUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIsYgIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqUgMwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIkYwUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwQQMUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imwcYkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byAgocsU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAccYEkw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqQoMoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEwAMcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcQsYEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MegsAAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYUAgkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkcUUgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWQkUwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEsUgMAo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqUkMkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSAkMgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAUEogwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIwQoQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQMgwgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NckMoYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWcUkksc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYUswMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQMYYQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAAkYUgc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgUYAoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LicQggkU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIMkUkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAgcwEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omEsIscc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuAsAsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyQUgwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQQUMook.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGkQwkoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqEogwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgcAggUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcoQQwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqEAcIMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGAgwAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEsAowYM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKEAgMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuYMwkkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqYkEwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAkIUYMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAQgwMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmwYAEgw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUQMQcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiEgUUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKEwoskU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIUYgAss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCMoskok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOAkgIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
memory/3980-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\RKIYAoAg\mugokIQs.exe
| MD5 | 6e100c9973412c8f66322e3a8db4865d |
| SHA1 | 8f86c8af7aa31372bb22b5baf8626b2d66de97ae |
| SHA256 | 33ee0d0768fef708a5749b7a68592805a5056ab49547a8d7bdaadc2b6552eda2 |
| SHA512 | 6de88f3013a2223ddf6bfede5ff4ef5e5f19ede43d13878b3d421439694c8024a80bd09b74611453cdbbbf114f95da2553f5b4dd0c48a1a4666036f0f35210a1 |
C:\ProgramData\TaQscUUo\jgsIgoUk.exe
| MD5 | 9c74d1354e2d1878e24f29b0c5a36725 |
| SHA1 | e5152c1938a75a813448f1de99222e025d3deb8f |
| SHA256 | 28e344865a0ccae1e789109c086aa6d85827cda0a81d125a2555ce655e75803c |
| SHA512 | fdd3ba5d00135234abb38b35e71577fdf0bedebcbb0c1ce0d7b52496b2b7016ded02c48d699d1f7619c03602f5b36fc4daa4a73c07a22ea8796883b8217ab5ca |
memory/5736-15-0x0000000000400000-0x0000000000432000-memory.dmp
memory/6060-7-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3980-19-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4596-22-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4728-25-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZMEMoMgg.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
| MD5 | d3ab425b258de25415358116b5a507d8 |
| SHA1 | 5f1cd2914105fcc99d08d0dfd07ab52cc8be2095 |
| SHA256 | 5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5 |
| SHA512 | 14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06 |
C:\Users\Admin\RKIYAoAg\mugokIQs.inf
| MD5 | 93ccc2d6b39da899e1c7bc5bef0c41d4 |
| SHA1 | 8a9b6634b558a5054cfa22685a81ecdaca861290 |
| SHA256 | 210c36768ef5987e1910693f0f8215d4022156e20cb5af6b00bd1fe0b3655ad8 |
| SHA512 | e5b096ddbb73fce31700e8b0692112f9026ccafe8dc0a1447210c2ce09fd1bd1c9b2ed40c91913b48d135fa2daa68f797839b8a3fee300ce840d5c094b697184 |
memory/4596-38-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1588-43-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1588-52-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | 3bda66344cfc43324b0aebe47760ed24 |
| SHA1 | e841106c1d103f5f49a743f9d03d91616efe2e5c |
| SHA256 | f988d0a47b1cb3276b9c935dd410be8c8f41c506dfd876281694245c3313b551 |
| SHA512 | b6e856de9282e02a75a69442b86880a59d352b4b23e172e8b0a8619eb962e5108fc35589e4f20dc0dc399e6ffe36cc582f46f87fe3e87150de2389d1c1367e87 |
memory/3940-68-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3744-67-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3744-79-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1824-94-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | 748bd21fe4d5a5c9c6029f1ab0943ec5 |
| SHA1 | 8f8427e58b021dbeabde0d631de0e36ab155d84a |
| SHA256 | b07992cf93abc9339aa0833a1d19c42ecc0b3307bb5ec390a05664262940356f |
| SHA512 | 08745bdd25fa94371a7f59d3e3ebdc1d0760eecbd33fab47aa228da1a5512dc930666fd0af0eb4c31801809bf9b1cc31cfd41d352cc18c91642746d4a5374587 |
memory/3364-105-0x0000000000400000-0x0000000000435000-memory.dmp
memory/100-120-0x0000000000400000-0x0000000000435000-memory.dmp
memory/624-135-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4892-146-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2084-157-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | ab91ac5de51d52bae6b073c853acf3ed |
| SHA1 | f02cfc3827b613d4a53987bfa3e5331aca716062 |
| SHA256 | 7d387c6f57dab8fe0fe244b969ab772c2ce18caa0cfe2e0f808d52f2aa27e3f5 |
| SHA512 | 0edcc439923dbe04879f8fde73653548f0822958c92c2bae1035ae8b32e6b8a673ab797dd69e1d55d60ee07fa139fca8c1dd84d404379363b192b4338d7cbb6d |
memory/4220-169-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1840-173-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4220-186-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3480-199-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4852-210-0x0000000000400000-0x0000000000435000-memory.dmp
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | 9eb2c3a21eaff9d07252836dcb5eceed |
| SHA1 | 7313ae468aed4854b1fed416874b8988885a70aa |
| SHA256 | 19e9c9f4d72e49c9651f410d69023c77ab8af7c21c8c1edc4f3191fef891edba |
| SHA512 | 78cc4d064aa9ed0593cd4ae473d4605f960e99fc333ca3f38b703c3eeb638b6395c13bc6f719c3ace9efc1f5848d8d65568e1553d0fe42107c13cdbe607d0b23 |
memory/4596-222-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5464-230-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3008-240-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2592-248-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4020-258-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4000-266-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4192-273-0x0000000000400000-0x0000000000435000-memory.dmp
memory/316-277-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4192-285-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4768-295-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5668-304-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1180-314-0x0000000000400000-0x0000000000435000-memory.dmp
memory/888-313-0x0000000000400000-0x0000000000435000-memory.dmp
memory/888-322-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4992-329-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5780-333-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4992-343-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2004-351-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2264-361-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3620-369-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4924-379-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3928-387-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1552-392-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2532-396-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1552-406-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1272-416-0x0000000000400000-0x0000000000435000-memory.dmp
memory/6080-417-0x0000000000400000-0x0000000000435000-memory.dmp
memory/6080-425-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2192-432-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4664-436-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2192-444-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3564-454-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2792-462-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4684-472-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4176-482-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4120-483-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4120-491-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4632-492-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4632-502-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2272-510-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2544-520-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2608-528-0x0000000000400000-0x0000000000435000-memory.dmp
memory/452-538-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5744-546-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5168-556-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4112-564-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1732-567-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1732-575-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4684-585-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3716-595-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1824-603-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5836-613-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2416-623-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4112-631-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2012-641-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4684-649-0x0000000000400000-0x0000000000435000-memory.dmp
memory/972-659-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4492-667-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5352-677-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2864-685-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5748-695-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4960-703-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4628-713-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5236-721-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3740-722-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3740-732-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4064-733-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4064-743-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5096-751-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1104-752-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1828-762-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1104-763-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1828-773-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QIkk.exe
| MD5 | 292918600fdf7faf86ec0fdf465a19ee |
| SHA1 | e80f40f830352ea7ac2625d225f65fef2b566ab7 |
| SHA256 | 9bef4b0754d1cbe39491681b330b580f62ed34563900b6c29b31d41116e66472 |
| SHA512 | c1b87450409b99998029e3640c95f35cec463c8e5dec8ef48d974ce2c8a50ae77c3fa9a5ffa933a6d289902b6d5011e8bd3f17365ffac0bb37ab8513f6070c5f |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | 29c2a928487ff80674a13b0b66b5cd64 |
| SHA1 | 7cc6af30f535ecaf1d35c608046b4897b055c6d7 |
| SHA256 | 42698f79dcb27e8d89f4938e28bea64c814c3fa292d12f01c328c7b5b469ae52 |
| SHA512 | 0754e92eeeb353d7525d5027aa01ff49b2e11980ed21c7fbb3901cba4ebba2ef642c06f8b4b4af41203e5119fa0e98f00972066d9fea09974a18f4a8f74c0eec |
C:\Users\Admin\AppData\Local\Temp\yEou.exe
| MD5 | 56918ecec89aac2d9b742400f03da6ed |
| SHA1 | 15b011a35c1fef469bcaa8f8456f812a42b1b985 |
| SHA256 | 5d6c834f08e3e108a72127e622dea3857988dd52e47136590ba3320f28a6d4be |
| SHA512 | 42d6748eb8363eaa818910b4713a628ef82ccda0be68a16a8c243913dee77acd1dc90e348d96b7ee615d3e529d43715321021a32d60fdd22058caa45586a5e9a |
C:\Users\Admin\AppData\Local\Temp\SMcA.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\UEgi.exe
| MD5 | 4ae18a26a53713ff2cc06b1206168ddf |
| SHA1 | cd3640cc26d47303e5ec99abc2ae4df8b5e4f200 |
| SHA256 | 917a8ff14147b555dba6b3af98c9c2d2a2edf0dfbb3467e532c8642276525fd5 |
| SHA512 | 0c796b351cee424edd284e29a59eab5899813d5a5cf626fa5e209035660ca2c3f0c18897aaac939d6826143954655a826a322db79e76522f0c607ee33f3c9ccf |
C:\Users\Admin\AppData\Local\Temp\QYMi.exe
| MD5 | f57246c5cbd1d15da73f838e11bc04ce |
| SHA1 | 9b3b4b46f7227be7ec16410b84ac4a98ec7c557b |
| SHA256 | 41dafcec15bb2085e781ed0c30ec9d10fa62b66f3a3088b2342beeca0542daf0 |
| SHA512 | 0022fa8022c5d47cca8fea32b59808de9a2008825c931af7fbc0435f7dfb8b9f56afd305234458ac9eee4068ee537074a286360c85af91f87b3c773f5cd5a891 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | d17bc8f046f979c049e0ca7290276c57 |
| SHA1 | 48282245d79540432f29ef368bc9c3ad658b57e0 |
| SHA256 | 49892341a652194aaefe52ac1986f6e206204d59403eecb8480a49990fec52a4 |
| SHA512 | e2703aa7ec464b6e42bd5a79d420d9ea0cf902629937d8aa2f6efaaae241965dff0fd1845691a1783c54601c632a50c056c41f21d52c58ae39f237ad60106e81 |
C:\Users\Admin\AppData\Local\Temp\UIMQ.exe
| MD5 | 1ee974e2ec9c7fdafb37d7a9fd2d8ca2 |
| SHA1 | 59287989d1999237be77518df61e51c43425effe |
| SHA256 | 8e9ff3215e1a30de9d16dfe59f30a4e2505d55d434b30e6c00ff586c0825725d |
| SHA512 | 93ce3129e086cb732c6edaf0910d232ae94359a8cb39c49b57f3096da1a5b621230370792682170cb14dc1e3c117368756c1bcac51e1c8637fe958b3e985c54a |
C:\Users\Admin\AppData\Local\Temp\EgMA.exe
| MD5 | c9af9cb711417f4b74205aadaabe3a7b |
| SHA1 | 63b2861d9963016589e7361c73938b391a43b73b |
| SHA256 | 8deb3399bdb80c37257acf08721cc410178373334f1998f490fbcac6b83c89c5 |
| SHA512 | f62600665c1c67d36c977b9f13dad955ed2fcee7ecba900fbb03aff81fee30291954eda1ac937fdebb3c737976dfbe57bc28dea9540293b5e97cd61fc558eaca |
C:\Users\Admin\AppData\Local\Temp\YEwq.exe
| MD5 | 256c9ea79a0af2027767e601facd54a7 |
| SHA1 | e5991803605e57bbf1dc2460a5c521f3874ba155 |
| SHA256 | 2d4ef44e317199535a60967fb89a612a9c302f2680f788fe6b128e5ad208e841 |
| SHA512 | 4c02bf3b939e91f116d479b4fa93c33c075082acd7dd50319a93a042baad91a3e5da72740305403abdc65963f379baf4ffc526f66e79f889f5be89263aab3caf |
C:\Users\Admin\AppData\Local\Temp\kEQS.exe
| MD5 | 2ed24ab640372fb6c1f5ed84da1186c4 |
| SHA1 | 54f721d87d855155ef63902271b0a14cc923f27f |
| SHA256 | 87deacef067071041c86cbc113ef9ce17dcfc8bf1b1444f0497ae6527f9e555f |
| SHA512 | 7c3dedf3e4420041df594b46d5fc3eed101ffbbdf98568d56f6ec8db5fa187e8a7fb1d01d07ab8dcdcbb751f76bb06c67f6d364b81af4210978576c510b5e000 |
C:\Users\Admin\AppData\Local\Temp\IgUK.exe
| MD5 | 87ec5b674c0c8e48cac9dd4131d66220 |
| SHA1 | e8448ed99c14a82a5b6959c4f7822ef7e3802c73 |
| SHA256 | 52576861fe6d63a7b979f625e64fb4f3bb581adb038b2ca39e03fd890e2bac66 |
| SHA512 | 9d52d49f62bd493fa1fced4b8b459d5267742b112a29fbd3ff5b8419b44482d70c3aae3f9b9bcc046658d9b8dba05158bada62611714b69915644b336a0e2fc2 |
C:\Users\Admin\AppData\Local\Temp\EwMm.exe
| MD5 | c9b7ea0665eb50007e18a309c9b14f7d |
| SHA1 | c175873b4e6bf13766d5e94456e9998707371c9f |
| SHA256 | 3379eca4de6fe5cebed747aee7f7ce82283c797e1d9a24cc8921126d3c69f1a2 |
| SHA512 | 4597ee331c59f2048de99c3004235d7e950864bb436e2bb8719b71bc7179200de82e0d71c2c4d621b4eb0b7398813218e59d3b84759dfc15299d128e4133f89f |
C:\Users\Admin\AppData\Local\Temp\AYAY.exe
| MD5 | 941a17abd4b186484050b5f7e3052868 |
| SHA1 | a7acd4d676829777722e56f453184b23e4f80d6f |
| SHA256 | 3c6cba153ba1468d61293f9b9f0ae1f63c203a4205caf403d97e2b8b6c8cd6f2 |
| SHA512 | 2411157fb35c90e1ee809e065d193f97a2251d72b837a81abf2dea75517d4d0f944cd55485cc0aa92695a94884354ae52fa313b4f9cf8a41405e5e27b34d21f7 |
C:\Users\Admin\AppData\Local\Temp\iIoc.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\MUwi.exe
| MD5 | a64fecf1140ae146812a6639fcc3910b |
| SHA1 | be375279aaf5c846415a5772da823aa92fba996f |
| SHA256 | 6bac1ef994bc9b12853ac8c6239cc0e07c50b67cad0b5dbcfc4c5ca76d970e57 |
| SHA512 | 34770ffab312ccb2ddc14a0fc48ebdbeabf74e194f0ec632bdee66d4e24f23b66fe9538bc4fb2a8c191eb9e3c75da972c5745d63829f6f678c4cdedb273f204b |
C:\Users\Admin\AppData\Local\Temp\sQMM.exe
| MD5 | 0ba2539c948156d0684503eacad1c7d2 |
| SHA1 | e24e10b0274a817cce21a030dafbe0bfa44a536e |
| SHA256 | 53cfe0d2780542fcd24d6816e473d7730e51e3abb7654ce229e149903a80fe08 |
| SHA512 | 770e0e41cfc7ad3c798f3bf59adbbab4c80837d04c37be8aa628e1bc485adc5257ec75ea7d9f83b68f83e0368bb50918683fb03b52c82755c37df51e0c8bf8e5 |
C:\Users\Admin\AppData\Local\Temp\YQIs.exe
| MD5 | 8b093c6c23501d7c89b02839a21c54d4 |
| SHA1 | f4a7a7e3e799c0543c17a8afa43161758d984909 |
| SHA256 | 17f4864c92e2dfc0a1434e78b92b57a0e0a69cb316cf58d3fbce3114a5330422 |
| SHA512 | 065e723344f3d93bee0ae5739f4395c3078c7fed2b206986a56c0ae050d650f01884be2b65d3c40ca34a5e00671ab4e93c707ea54d4b2ecf9820e8c0ab578293 |
C:\Users\Admin\AppData\Local\Temp\SAgA.exe
| MD5 | 62290cd20bbd8b3e835099d2d61a024f |
| SHA1 | 62d7fb7663d7f6ce54d276703473337c513106e5 |
| SHA256 | f36bf1a70d356176bcb291932759dfc678e4067039f3ed002f89108f156433c9 |
| SHA512 | a2b053014b159ac8cc0f02952aa3bb1789e2d645b5018fc37016747ee90d73ac17a8f0c164de980cd73292faeae138dec0fcf42d1ede2865f09d6798b0ffb155 |
C:\Users\Admin\AppData\Local\Temp\IUEw.exe
| MD5 | ac473619b9b9ca414c7d2b66ea218115 |
| SHA1 | 48315e96b49e4f0c9e439ed2960cbd08c6678bed |
| SHA256 | 18e4c6ef49fd57132141df001c3eac6ce96e05d7b1ddc3f99e549e86d3125651 |
| SHA512 | e9c33ceb8c4c0552e5d8b4c5ff68e78995b2b10e015aab44a7328840ed4fb1df825bbb8f98e9a585419ef5d140889d574e63ee769344ceefcb2540eb816ce9a4 |
C:\Users\Admin\AppData\Local\Temp\OooE.exe
| MD5 | 2ce7b1621ca4ef0faee8125c36c2258b |
| SHA1 | 408797e24514397f5805f5918cbda515c2dd482f |
| SHA256 | 2a7f5c1758c6648e5b38236d89c0eb1dc419a79f9ab05280e3b05dc46df80dd5 |
| SHA512 | b951dd911346f90e1cf2787fa69bae5bb8b08d24a0e8f8799244924cb8df9ea3f54f6bc91e4c40bc62e87fd708cbcf458d2ab11294c2613c837d004639fe36b7 |
C:\Users\Admin\AppData\Local\Temp\ugkC.exe
| MD5 | b099b295eb57090f85b4e01e7babba47 |
| SHA1 | 0b088e731be75cc5e8d84569de01cbc44811009f |
| SHA256 | 0c6d0f7b457ca009d7d815b2ad928ef652eacf380006fef2bd7aebd28a98d27b |
| SHA512 | b7be3b661fab07226095279b10f25065367d3589eaeb006233272654b3f8f77d60f01fd314d4d394612b32a5b82867566d7b7bab3d1df874c126c06d61c69883 |
C:\Users\Admin\AppData\Local\Temp\IcsK.exe
| MD5 | 3e7353d31484b811a6e36ea56823309f |
| SHA1 | 40b95d923516979634379fabec922c049487a73c |
| SHA256 | e748684183c4888fa8917adc6626b9792f92dabaf2a56794c79c3a548a4e6e93 |
| SHA512 | 2f90850d9bb3226f2ee920ab40172db4f5601978c326d85e733b722de653447173c8f116a1d4f5054060c20a323999c8c8ba275dd010a4b355cd56e77754a5ac |
C:\Users\Admin\AppData\Local\Temp\cAUw.exe
| MD5 | 3b6a2d10b318d2fbae7c3dcad4536e2b |
| SHA1 | 79c193c1e1f07901c2a8c7ceac1653f3eb978e4c |
| SHA256 | 008cb8635fe663107ea48262d6908f39211a741af37e2643aacf65a851f24409 |
| SHA512 | b8174e9fb03e2c6cf21fd0a2f24f7e0293e2b2b69c5eb28a091395d0b91e6ac3e19428edfa62a9fe98f50edc80c6f65d2b7f1a5f49f25dd91b6b76c0915938bf |
C:\Users\Admin\AppData\Local\Temp\oIkm.exe
| MD5 | 3a18ac38d9115383553ee6348cce90f4 |
| SHA1 | 79c162887a9d521a6f78ac5a41220e38f1f88b3f |
| SHA256 | 7df194c15f187ae8619be01b80dfacd8ed65f4c05ea3a2bbfe16f7981d0a5bcc |
| SHA512 | c503c709f0899e6423fb9066477c5bc0114e2b329ebbb60e68943cd75a3fe057ec257125a68206d476487bc60e80b8520d9472313603be8a2ee55be92fcd0568 |
C:\Users\Admin\AppData\Local\Temp\OIEm.exe
| MD5 | 6354e340e9b646712f076fe990454420 |
| SHA1 | 9c196c41da405def40f4fb624e0b4e4afae39c96 |
| SHA256 | 0be243e3a6ef64cd705962df6f688a2ab2716d3146d54a4a1a9c67cfb4051901 |
| SHA512 | 87a45c7e536aa0d05fa9968e3d91fb28249003bf926525d609e86f70937357e7dd94d4e8e455f0b2b328532d06c7247d504d873165ca18d65e8b1d70d4577e4c |
C:\Users\Admin\AppData\Local\Temp\WsYm.exe
| MD5 | 22893cf3b748b92845fce1d7d97b10eb |
| SHA1 | 804088f7a62dc6dcc37054ac2529790c9437d72a |
| SHA256 | 4534ff661852e05c1096a15ec2a8c2c8609108cc56093780ba1ffc54b205ff44 |
| SHA512 | ebb277b3c021f92ef58cd1e616a1bd9596b1fd7f6f65a22a75c2e398ce28a63344eb13cfbdb98b150027dab28118cb483703e99af9f10562eb2d204e40556a80 |
C:\Users\Admin\AppData\Local\Temp\ecwe.exe
| MD5 | 30660207a9e830a5342b9f3586c552da |
| SHA1 | 2298e4dc9038445518650960e8a06032e530df9b |
| SHA256 | b7cd3d0a83278242c3d0211fc57cd3e2c964f7724a9e241d80e29f70706f12b1 |
| SHA512 | 4cf48b18ef7e7d4897fc70d572f7e8c616f7a31f4a2d8285c6a71d16726c25ef3386bad1d1fff96f941d355c99544e2e38da3f1ab2b768eef22c812413a72265 |
C:\Users\Admin\AppData\Local\Temp\wcky.exe
| MD5 | 9afdcdf728c642f3cae758854b961ad5 |
| SHA1 | f81b378848aed3c11145edc69a3e605b2c7734e5 |
| SHA256 | f0296489cc65f19f1b6f14e8c1ee0e3b0932b51d82232809f66dd9631fb12efe |
| SHA512 | 93146a58611ebdfccd9b1625c3bbde58d8303054e52fe4d8e89177db7f5c9c687f3763a4140660b733f31a53ddd3bb8387464e898df3be18affc079e8f8b200e |
C:\Users\Admin\AppData\Local\Temp\KsMI.exe
| MD5 | 86ce8daf70a51cf7bdc1f89468576a67 |
| SHA1 | 7a59576d0849c24cd5f9246a8f79603c51126891 |
| SHA256 | f9e604c3e9eb0f4b3d669bc89567337777a58f30489c497d5f0f521dea18a4b0 |
| SHA512 | 1f4e68241ae54feb247f71f07322085f227d40b2e513667f4e18bece20b1dbf01731d0b1d598a7fa6e3e300ac0acabf0fa9497509c8392e3a35924c1d90fbb03 |
C:\Users\Admin\AppData\Local\Temp\CcEo.exe
| MD5 | 75a4cb3dfcbf6a37f09db79e8a7aa56f |
| SHA1 | 35bf61823b9b3f5aaacfcb4dbe802b869be6dc78 |
| SHA256 | 67067e248e50ca9cc807a550c688de6285e444d558d33fba63c7b87295dd1470 |
| SHA512 | ac6241742a5b7dac3f0883368e57dfd1c039affc681849ec4f1169ff57919370d6d8b56be5fcf7376c4f4910787b4b444f64dcfaa66233278370db7f14498d23 |
C:\Users\Admin\AppData\Local\Temp\yAoA.exe
| MD5 | 1f054bcf52399c1d3b8d702b2704875f |
| SHA1 | ca859a33f50609cbef5f9804acfb47dd86bac64a |
| SHA256 | 3ad9845ae698e6b8d909c8aef2c78312836573cd71190302bef596ae560e0f9d |
| SHA512 | bd5aa2821bd72cf479c2200d54cf2a5868826c860644a3c21d8af970f6a0ec686388d6455f3aa81d13c95317e0dff58acc27586cb6d3a40068a22db22d40b7ee |
C:\Users\Admin\AppData\Local\Temp\mYMc.exe
| MD5 | 7aa9e63e661802f6402d01a5e277e65b |
| SHA1 | c073e5502ad9829d5e9e408f1302c0588487fca6 |
| SHA256 | 497af011d8829bce226ea210a6c9480b08259361ec95ab82d955e25fcc3d3236 |
| SHA512 | 7ca80b973a59d2fd8103b6cccf7048d7fe43ad793f529082f390da80d1e4e26b8792798504490a9a63f04c70f409ee2724dc2f9b723f5ca5b6d2e1c13d03eeaa |
C:\Users\Admin\AppData\Local\Temp\YcII.exe
| MD5 | 4195da76408b2a0fe48207ef87e5c3b4 |
| SHA1 | fc67d113a57053295faf32eeacf31cd6da0c469d |
| SHA256 | 5b2c533017dffc8efa567a3791cd460c2f3c79389220aed5b8c753bee5700890 |
| SHA512 | 9ecd717091ab157af5528c530fb1c5144dbe54ed13867c7419fea67668863e04b7e127b704bba33941c4c5c8498cebebb6307f147ed6bdcda513ef75becfba6e |
C:\Users\Admin\AppData\Local\Temp\IgEm.exe
| MD5 | e1b2c1ed697e086513d4895f8f6e1c5c |
| SHA1 | 5db282fe9b8b58073aafb0ea30d6b0d070384c0a |
| SHA256 | 27a548a5e68fdc42e84c330c23da14b83051091d8a2c80d313c04144c9d8a47c |
| SHA512 | 16e85cb50007d815e8bbcf46d0d07092babf333f372c34077190b279b04e8b8a8a88008220db613171fc74384e80ceaacc55ad51d9f72f6aba977b2035b40cbd |
C:\Users\Admin\AppData\Local\Temp\IgYs.exe
| MD5 | 790a6030b28bb6326f60b45026099125 |
| SHA1 | 4739358898d837a74aae43a45c723954ed16b015 |
| SHA256 | 921cee36d30355b62056590b8a91a6a43301f5aaf26ffe5e83e7dfcec4302432 |
| SHA512 | 4cf88f01b693623b09eba5ec9bd4191b498bf5f5071b99d1004779e98c01244b263704c9b457080d870a0b146292211b8e73722d1c880c9c559b77b0b00ccd90 |
C:\Users\Admin\AppData\Local\Temp\mgkK.exe
| MD5 | 8127e53eb237bdbfd97e16b75598e8ef |
| SHA1 | ef3c5f32306ae54ad9fcd614c309f3cf94529cff |
| SHA256 | 794e09a4a74df08b442f11ad2f2149837aadd59f91ff9e84651b6635a1f0b890 |
| SHA512 | d386490c498950510262744776292a0ff46a08c77f2da2acbda970ac2b498e705f27647815d588100ca729747f0587b3fb2f959b3b9191ca24534c0b16f5e8fc |
C:\Users\Admin\AppData\Local\Temp\QYoM.exe
| MD5 | f9e19311a8ef0213145d495c7735a7d8 |
| SHA1 | a2d9696e22fa9bd41e905a77089b292fac2639f2 |
| SHA256 | ef14538f101973b8021b135afeafb505dff166e206710bd3b090bbc3ea32f6d1 |
| SHA512 | 75dfa1afeda84db40d3003612285d318493c187efd6a4f5af8472c30900e05118b8ad097bfa96dc349609cc4511d595ecde373115ee0613dd17adcc464469f3d |
C:\Users\Admin\AppData\Local\Temp\wQQW.exe
| MD5 | 90e683d91df501a6bfbaccf9ff02ceb2 |
| SHA1 | cd8bea7507257170c668eeb6ff8dedf925224063 |
| SHA256 | c63da826227bcd26bbe30026f89e927bbedaaed269aa4b4d39fd81e15e92c920 |
| SHA512 | f83b3bfdb92e14a7f30fc82c3c8c893bc7614bc7012d8dc71b11ce4c97ef5e97ebce7f28a155a20b5d23245edc179ea96ffe336f33762f3de82be764a000c885 |
C:\Users\Admin\AppData\Local\Temp\wQYg.exe
| MD5 | dc00ab1059b792be480f0433b548eb20 |
| SHA1 | 2e033000ba5d5e7776507c67b13acf5b52b151ad |
| SHA256 | 308a5dd413066b28b9a94a2f8d79654bd103c72c6361bb36fd9588d4c89a7d5b |
| SHA512 | 2a8dbaba43826e7c698f0da3e4d45d73efc3e2f4159e1666f15b5b534a33866c1bdf70136985e8f7f58367aa7302fad3ad8ddc80a49cc03b4855c2e527248bcf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe
| MD5 | df8e4fd61a4ffed80a9632e52899bc78 |
| SHA1 | 32141d14f64b00f32b0d27061952c5f21abad3cc |
| SHA256 | 65dcd10eef91dbb9088288c7a5a95b6f11db24316ae0ff004f4a337733047ad6 |
| SHA512 | 9024e2c39e12e22bc38e7b3be75ff00ec290ac159dc8d8b770edb59fd8e0ef0466962d2dd78baccbdf74c0f791161e4be923c2284b8d243f7ba30ec3619e66f3 |
C:\Users\Admin\AppData\Local\Temp\AgQY.exe
| MD5 | 9259646bd630ee431c508773d84ad051 |
| SHA1 | 21d0aebc99d211ac380d8ca593f84ad78d35c437 |
| SHA256 | ae123fa130f963600bc465c789a64b655d2ed69827919a45e4b7c70289843422 |
| SHA512 | 58ddaafad5debaee269b8ea328acef5478337a3abc61b33a92c4d731c67b863ba74cfc1202e49bf5fbcf7f318f704f5643b692f9d719adafc61a1793930786eb |
C:\Users\Admin\AppData\Local\Temp\MAIc.exe
| MD5 | d53397aef283d9abfef0b5b74bc23859 |
| SHA1 | fbc96eb57168c85f6f51c60f09594e7059348e45 |
| SHA256 | 2f054019cdb876ccd473f5ba5843fe2ff7f0160ce41917ba44a9c64e996d7498 |
| SHA512 | 2230468bac32a854ca28834b56598bd093366664a275daee0c1c0de294430c024e6b4c1ab0d9c56da55e00628f9089eec12f50a6aff2bca3f96b45a2900af51a |
C:\Users\Admin\AppData\Local\Temp\eMIq.exe
| MD5 | 201ea3198ceef789dedf71041ed065e5 |
| SHA1 | 2a44efeb2b1a2c8ca2261b5f1fd7a36efa5608d0 |
| SHA256 | 6b436953d36e4205de0834816b77b5b6dfc82d13a17fbecbe20c6da076a3ad68 |
| SHA512 | 8c68490cf3ff845df86fa64a15b99e3d2f338d2937c0dd49f60f73a774468c0adfd5df9693107ad4dcc99477a710f68ac9ca219074a98ba13a8f616be0698902 |
C:\Users\Admin\AppData\Local\Temp\WEQq.exe
| MD5 | c66cf7d010953e662d71e99e6bfafac8 |
| SHA1 | 230fd6bf2e6b0100d5f08f29df548bc43dedb6a2 |
| SHA256 | 8ddaa221c2f8daeaf43e62d8f7546eafd2d43841a26b39101330f8920c331cc5 |
| SHA512 | 0eaaa28fbc232018ab022493b6834b9ed70d84d1ef7b4357d28f047b658e25c96a96bd6ed2e9c6ca745d0176b5a8f59783390d8765f105c848821de1a360e2cf |
C:\Users\Admin\AppData\Local\Temp\CksA.exe
| MD5 | 0ab077b3f469134f9f2eb6311b003d79 |
| SHA1 | 97e9294d4831212a5f854227f0d6c71f40391043 |
| SHA256 | 9d786f1bf3f6ad0938703ec6e0ebe29f6696cbc2c39ebd50fa6d5937ef85c808 |
| SHA512 | a8c13d3d0e8a5e94715b684b29920d4658f4426a2038dc4eb9d8dd616bef904de9294a3da0fa44f52e1298bee85a65d03ea129816f90f68d55a9a134f3088839 |
C:\Users\Admin\AppData\Local\Temp\eIMc.exe
| MD5 | ea9a7342e0829f0b17ca7d7bea135c5f |
| SHA1 | 6564d6d55861f9c12309524a35f122b832489740 |
| SHA256 | 35bbe55c79921cc2bbb4ae86a2ebcf33c73c2b1140bea1f8cb636fb41ae5a88f |
| SHA512 | 8b9afa0f0833aa6d1cfb25e9123e2d48a56c5bfb80e68f886835cde1d228d5f1bc4df8bd7443b781b5a43e22e5fe71c757518f01b6e4e7a5be9d7e66e1cd2c7d |
C:\Users\Admin\AppData\Local\Temp\ywIw.exe
| MD5 | ce7d478f7df3514eb090d99dc68489ae |
| SHA1 | 5c2d5314dc60a0c77c377235295adbc19fb2683f |
| SHA256 | 2ee85add9b7695c1a8bef259f39857ad03b6b625d11b982cd6e0c3d5ad835fb7 |
| SHA512 | ec0ed67e26239a2d1c9f09fcfd943626bee5fca93aaf142a5294fc53e0f11ab9d4868affdb5c4be3b897b313f3c10aa72546d910dedc0a9c0942651b5c84a6c4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
| MD5 | e03e8cfd73b06a56f7ed7057a35dc981 |
| SHA1 | 066ff7790cf5d824bb1aa8ec6738beceeaf5fa9d |
| SHA256 | e789ebdd5a0ca360e31587546ab72d27a871e93dd04ae75f8dc376d5c119255c |
| SHA512 | d45240d23e2408d7cf590d9e7a525784cfa410ac78e7575b0ede56e7a855cf282343c17c60a52ee12a5e4f5045f6c7c1df4d5567dcb0efa1da5e73aa322b5388 |
C:\Users\Admin\AppData\Local\Temp\kUgq.exe
| MD5 | 09599264983e111bcf8a797d35700ff2 |
| SHA1 | df2ede45bdfb4fc3a8a788fc240e48e6858a3db9 |
| SHA256 | b31438c8d2133e70b126b6d5986721af2ef52295b6e726a63490c23689c94039 |
| SHA512 | 7d4397bbe69ef84f47843ce00f40eaeb037bbb9dd566b20eb2c661d8fdf984312a909078e913bda3d56692de2e7bcce1436dbd72c5c3eddf2c3865007e887eb1 |
C:\Users\Admin\AppData\Local\Temp\oYkm.exe
| MD5 | 41d8317bb93bd4e49194b1e55b9f6cb1 |
| SHA1 | 3a109ff7f8d80025839ade7eb3dad10f6667b046 |
| SHA256 | ae4800cf68f0fa81cc705d532845810477ea720b1b98bda245c9c6f0884ad2aa |
| SHA512 | 38fd239edeca1c48ebbb02d354cd2c81427898322700825118706d96f1673e74d0745cd9f3d11d837695ed9e1ad0e10f973d0fbb8232c9617fd3bb8041276808 |
C:\Users\Admin\AppData\Local\Temp\GUsS.exe
| MD5 | 7fe86d4e4406cc9c7f8ead3ef43b1554 |
| SHA1 | f39f5aecc1a3e0a0b32783c0dbf89b63b3c7381a |
| SHA256 | 54c301576ef66ba5f2bcaeb3c8025fe6a4e5b01573a73f98bac1d606c9f75f52 |
| SHA512 | 83ac9f96412d417cced23333be43a7249d08ba938ab0342b9b076df713dd220adc687e42b130b5cbf7097ac77dd06b06cd09e54da1a07ff1b14f9a49f744a3e6 |
C:\Users\Admin\AppData\Local\Temp\WMoA.exe
| MD5 | 12e63ab566020708989e51e551ccee69 |
| SHA1 | f07c6d25533748809796e8cd7c095b951926dcf1 |
| SHA256 | a4bc6db6c9d5090b8c93c5dafe709399b62651133183bfc1a2eb17f3700f0d46 |
| SHA512 | 6a9fb5f979ba2bed7f42a003af0ba2f932767c32a7812f765779f2811081a7f7047cc2ad7d65a69ce159d126b7810b27a9a1a36ba9a7c18511131e37a45cb4df |
C:\Users\Admin\AppData\Local\Temp\kUEq.exe
| MD5 | 167b4aaca62e15b9407b32cee7dbd18d |
| SHA1 | 4ea7c735b56fab1bfd2c2b71969945b919ec7758 |
| SHA256 | 307c951dbfbfc006b2fbdce5c83a8bbfc6e5e34cfb44bd5f12eee4865f814a36 |
| SHA512 | cd09970bcedcff121a38f0fcee189676fad8795d0ac85f4abad287a7e736ca44aae6912dfa885d43321a2a1c44880f31393ebf25cb18c98d0fb512473020ac12 |
C:\Users\Admin\AppData\Local\Temp\KYQy.exe
| MD5 | c00af1d38f106e90621cd576f6ab1b28 |
| SHA1 | fc3747c48e12ca30b32d877673cc298b7e524176 |
| SHA256 | 7cd67fecbea98b97ae7f98ba4db56bbd15ea7da268f6e65987947fb2718c91fe |
| SHA512 | 2de36481a44a16ff6f4db89088b63334fc66f9a7b147f4e17eb9724c657925b5b69199fa8b59a480cc4daab9ad1d75e0289a96cd7d4560abae284ae2dbc2c0fa |
C:\Users\Admin\AppData\Local\Temp\kcMK.exe
| MD5 | d61bc8c1685e3c1be9c80a0e801ebeee |
| SHA1 | ac6e04c7e727067973b813ae56e221bac3d2e91c |
| SHA256 | 7f2149c3638471c144ab61a8c0b6f5b0e73f4f0bdbc67c9112c1c696c7d7f8e4 |
| SHA512 | 13db976e05bcb365bbbb9f5ac369fc1af96ecccc133ef1e788d610efd31b4b17bfc0a8a4f6369f35eb45915b85e02c3e3363be874b26eccf2651e85d46e9136f |
C:\Users\Admin\AppData\Local\Temp\coAy.exe
| MD5 | ed47aa0f0639f78b2b76ef5520392f8e |
| SHA1 | 35cacbfb1a988ae48ab306a07b9268c27be4a26c |
| SHA256 | 1c47fd6c9a99da2b890e9484bc2e991a0442022a341a83ebe328c3a6616ec6b7 |
| SHA512 | 2ca8d6ec4f0338feb9323b8bd51fd37931a3dd372e571a930e8757164b0c4320ff8db94789dc05f32b4f53b8565c81e9a8eccd9ee92c7366df8c1a3774a81ebe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe
| MD5 | 209b159b853ec0047e9da1b55667c02b |
| SHA1 | 55400fc3af81813eb0848d61911307b3b8dd4191 |
| SHA256 | 011bf5d5e1d0963d4d8c6f9271fb8b584f012fbcf8fe3d4c547671696765084e |
| SHA512 | aed6deefe5cc3dc2177b1825d5349853f6318222c6fc45c4623bef39dc045725620d5c146ad4e872cdf3d8b81badd3707a8b3a961f5bf4bcda018a6a1f78efbd |
C:\Users\Admin\AppData\Local\Temp\sMMM.exe
| MD5 | e9f84979dd949561476043bbb4cc8aa5 |
| SHA1 | efa0c573952ffc316b8fed978a286759f57f0253 |
| SHA256 | 7f6d4875eac68d30ba6f84c160b28ac22449822c7280c5ecf74a78fa19f6b97c |
| SHA512 | 7bab880c9b8901316c319295d223638049f4c476f1bb720ba8f277fc7803f5d2ba0893a5fc0a66ae9935d51e87c72738ce52fcfeb4d9bb1c7aaf61d747c13807 |
C:\Users\Admin\AppData\Local\Temp\EQwg.exe
| MD5 | 44a9533075eaabf7859c539a22b69b12 |
| SHA1 | 10107b76cd15e3e5780c7106ab4d6d00a80a96bb |
| SHA256 | 5682e19c6be52ae3ff7c736d4c781ca4062ff72c4d9a17056f4b8c1b0318e544 |
| SHA512 | f341634f656c51e4e383ae2b5f3da91332a4ce9cbe90e22c31c32de057096777febf9e357d9094aeb8aca91914befe27bc8f39c278a491be23b6589e5ec1822e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
| MD5 | 018842befa3663c13edf6d52d1358d8e |
| SHA1 | 944dae64f0d39427c720b6da05b5805707aeb61e |
| SHA256 | 7c5246712592985f2a248fb7e93911043b45c763c79a5fcd7bbc83d0f4fc2930 |
| SHA512 | b39ee13a5518bc56338ba012eeee6c6cc1fd427dfeb123afa75dd2acb08e577f5077fd8541dee29d95256005ec876c61720de863dbca9e03337d196482faf13c |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
| MD5 | 006c3091344d0034aa5d87ee111b0681 |
| SHA1 | 6b8d6a8b5016034bd376305aa844363f38fd211a |
| SHA256 | c97eab9e765fb71b8fd5cceba5b0af9077edd85bf39e53b80602c76b9bad1c10 |
| SHA512 | ac0b16f27b7a563fed6ceead90f34d46fafd7e86de87a8c8d12ff04e2c96036198b538478591b40f1a16a62faeada91e98902fc220ca097d07dccaf054eca77f |
C:\Users\Admin\AppData\Local\Temp\YEgE.exe
| MD5 | fdedb30fd9885b4be5e8a4b414eea2b7 |
| SHA1 | 2df4663d63f4dd3717d54dee224375c93b626069 |
| SHA256 | d743f2192195511500235d71c252aaf5074896d4e7ff762bf42e3e9b3808cbce |
| SHA512 | 621126f6caf98da46b26821d1b255f2b95b4e051b8d29db2eb4e10d07b082fa082a0816da7c30faaf62dff47df61b6680fac46d923820b61b76807b5ad8a572f |
C:\Users\Admin\AppData\Local\Temp\Gskc.exe
| MD5 | c9b7e62b05093254a3629c22d9e79879 |
| SHA1 | 95852a6b0f322e51d47dc860da3d352c08b39e5b |
| SHA256 | 3f9cb94d36060a905496b93ecc80c0c75e6c02fe72e9598d8269442037e116d9 |
| SHA512 | 0873af02c60ffad816a2ca792f555d9d5bdd9579857fc05d83fb5c3a1e127a8f65818414c3408a64ce925e23dec96f24a559d61995bd215be1a333e2cb4d3d63 |
C:\Users\Admin\AppData\Local\Temp\AEci.exe
| MD5 | 8d926641df643a2c5fdc6516865d8043 |
| SHA1 | 24782a3652f8b50d810f55c5170c92be650daa33 |
| SHA256 | 9c88d7f5eab25799e73cce8ccb72c752a12afcbbc3514a36b5f7de0c15b25f04 |
| SHA512 | b34cb7be3fcbdb3d895c21386dbd307dec7683848b14e7578fdec2baebca02e12e72cccfa46a8961c2083ed3d25601d5a3d041cc93bd9328d791655e3371a41c |
C:\Users\Admin\AppData\Local\Temp\usgS.exe
| MD5 | 9b10b093bc01ca46c87117e725b4c7a4 |
| SHA1 | 1bdcb6fb9204d4d9994189b2cee598e9e796aaf9 |
| SHA256 | d8eeb318b3b17e5f85b6d28dc5c5547b4e93a605a6f3d8fb581ee3ea3ba383a5 |
| SHA512 | a23c542c9fb627d352611c022c750936aaca6ef1894b852754824eaf007edecfc5fec5f5c1d2e4403529f5cda1a4be47146fdfc7b4657b6dcf1d1133b98f5791 |
C:\Users\Admin\AppData\Local\Temp\eMkG.exe
| MD5 | cc7f25f7ebd413b70ca6d01489f84451 |
| SHA1 | e02781322f1585550269e1f511a4e56d4f426113 |
| SHA256 | 0037cb5b3d368ceeaf8ae0df340eaeba8420e33f96608a0981730c0cd6f2bc10 |
| SHA512 | 07d44a28e60501890f9d965c3e153dc4d35cf595f033439dd6bfc46e0a699a6718950791ccfed5df55975c6e40ab9fc20753f2d8177361653cb9ff79f90376ac |
C:\Users\Admin\AppData\Local\Temp\MQEo.exe
| MD5 | 72fe45d6a85530f986136717a31e3fbb |
| SHA1 | 13358b91647fba002764ced58a0a5c24ee4a85c2 |
| SHA256 | b721be29dc2e6dfe194bde18446d5e3a586cafde3bef55472b58d07900d8bf86 |
| SHA512 | 78b39e31af2c9e71943e009b2eb64949688457df4045a7f690de964029de187b8c77ce404e83107866b3c2e26d973a2a3782628cc32170e1c3df5d163038d090 |
C:\Users\Admin\AppData\Local\Temp\sIIk.exe
| MD5 | b49af27a71e0570171649fbb4ac97f5f |
| SHA1 | d2b0f6d78af41b90df4db324744ae5270c8dde63 |
| SHA256 | a30d5e2eaaa76aa14cff5a57b2887fa04a913765652476e2bc98468d5ca6bd89 |
| SHA512 | 3c1b959da674a7c25069355a392e4b4a6b5c9a1e2d06f83520cc371d607572f7bbad12cd3690990067c6c6218d77e01325c567b686f3119d6dc0d953dd07cfe5 |
C:\Users\Admin\AppData\Local\Temp\yIwc.exe
| MD5 | 4f4fda6e7705a12ff8b8a1df4847c82b |
| SHA1 | bb5112da09794ded20f2dec9e167a069dd59b079 |
| SHA256 | fe3a16aeee8e7dd1179a872dd08506f73e60ac2c52b96480887dbbc5eb4afda3 |
| SHA512 | b97db65ea5bcb6e828f5b16525e1aae2fd03a4aac6f8b96f406f0356609d0a286fd679c72edd4b9e995e02d27e2404ce64994002bd9cf897886e790a005dd5ad |
C:\Users\Admin\AppData\Local\Temp\ogwg.exe
| MD5 | 75a2db7583ec83e487bece4393c8a11e |
| SHA1 | ea51c9bfb82f37a24bab845f41b60871dd43e5a8 |
| SHA256 | 35203b393d691a4d6526e8b663e7449a98163e42c97faa9df08e7e3013bc049a |
| SHA512 | edb98ff3538385332593d32073d5afad5e09ef881c90ad06ec6cf004d200a2aa5b832ca18fc96cd4711d762e8a7107da0ca7de58906c263e44e9b27fa0da9e3d |
C:\Users\Admin\AppData\Local\Temp\ycoo.exe
| MD5 | 1a2813430a78ae70ecc0b4708a635e9a |
| SHA1 | c6701b13626b0be6ed9debc9eea0604f523e605b |
| SHA256 | 6b44755511329fa0240ab7b5bef3a9c9269a7c0d8c146d39f284c4f06e4e0c3d |
| SHA512 | f81d46727700431d5246612f936d43b5db10ad03b37d7e138bca7b7e82bf762ea078fe9b7782270d3248e4fd1edc219d9ee13c4a0fc0598bf531fa51883de5a2 |
C:\Users\Admin\AppData\Local\Temp\EYUC.exe
| MD5 | 7faf1898013fc8d6c14f4dc4a9f078b4 |
| SHA1 | fb66a028833ed93ad25f77c704482fea1c573c2c |
| SHA256 | 4b50f53fee71133dea902882a3e2c38353256166bb024dacc27801c7e0c61a2a |
| SHA512 | e7d6a180ab02c4a2e517117499a74ff6bfed96f3ca4d85ea0204ed5da2204bd34018c8ca78cada3ee8b1d81a6a55a652327542093d097ad57fc0d864e53f69b2 |
C:\Users\Admin\AppData\Local\Temp\oIYU.exe
| MD5 | 282571a7b6ccd5e780eb23ac05cc3f6e |
| SHA1 | 6f210f8fb486630c9352540948a111687ce759d3 |
| SHA256 | bdd5e56a1c526664f787b21913cafea2bfcb2f96a6b69b99eb7e14b5ac2adbe8 |
| SHA512 | ebec0033e703a3f713695b2b995c6ccbad211a645750fe6d01f26a7baf4c2a177f1454efb31e5ec4d96e34d2e0fa4b28acb44ea2bd5b18a29d7a04cff339d9d9 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
| MD5 | 69fe5fbb6e7c1d84ca4e208aca13faed |
| SHA1 | ea0fd87e17c4b443ef32495e957f5e7458e99d1b |
| SHA256 | 489edceaca037a9c76c97a3248d1f0d75654b48884b737c2668e6a1558383cfb |
| SHA512 | cc524b22c4192784e89d0f81abab8e9ddc00098fd5e22aa89c749b82a40e8e4f858a8f064550d89ae523405276f8986b04a4fed7cc8ac8cc62bc0d6a4358eeee |
C:\Users\Admin\AppData\Local\Temp\mcMg.exe
| MD5 | 6ac2ae3a63140c8cf2c044e56657adc0 |
| SHA1 | cd94222a04c2006bf0de97f4a7e9e597ae88e58c |
| SHA256 | c98d2e960e0418516e3747364bca7691ee55ebfa93244a3dbb8c2fcd5586fa17 |
| SHA512 | a049d96f5dbff7a5af70e21f53bda373397a27eb404419a45e0a1daf8b92bfe62e2f8c5eac89a6ebe6e65ee1fb33dc892648590fe3af03dc9cf8156f62607508 |
C:\Users\Admin\AppData\Local\Temp\GUsW.exe
| MD5 | 9c7ee16993ec698b9484fd17e371af63 |
| SHA1 | 4a5ca47e476da51d33f8754d18124f6e0f5af03d |
| SHA256 | 729f0d3c78b2def730f1e3c4ab110d3518c18e104117075249bf188fd4705b91 |
| SHA512 | 2c29e978d32254f91aaee514c0d5340fbeca2a3a4bad5e6eb67f55ff0de1aea1d89134f36f533f4c13e4f75e69bcbcb81c683176f1b0e316f4e4c01792a92908 |
C:\Users\Admin\AppData\Local\Temp\GEIs.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\SUow.exe
| MD5 | a09d10de774a014825cfd0d0a05e5f63 |
| SHA1 | 6ca7e1ca0b028d6982173d7163c64d42e985f2d3 |
| SHA256 | dc91f9a60f58c05babc1047310c78d9282e58cd13a5baea8de91106046c5d6f3 |
| SHA512 | e050a449909b8e80460afca439f1ad56cbffc21ee9ae09bd25608829bc45be8dcd28f06df4608de6c01857b513e8061609786d25e87e5864636786a3c030e837 |
C:\Users\Admin\AppData\Local\Temp\OAkc.exe
| MD5 | 3b9657537f848997821f66b9a93fb574 |
| SHA1 | d2403238de6d45f91382bae09839255ecdc31d33 |
| SHA256 | 819fe968d3bd359687ea6889d5e2879a3ef32f58c7f1cf61771ab5c150998b6a |
| SHA512 | decefdf7a46aa955c0f9f4bf5b39d388be3c060bf7e5bbb3c0442938e06f10e8168d53b088c42ec25f647ce13a846479e4a26694f5886db63548a35f70b36e75 |
C:\Users\Admin\AppData\Local\Temp\qsAK.exe
| MD5 | 97e03f72c7e82751802d8d60efc3f323 |
| SHA1 | a465a6e6d8e671aa3c4c306e329d3accea397be6 |
| SHA256 | ac37943fdcfff4982e46303fbdd463fcf6eed5dce0fe9b03a8b57fdda44e75f2 |
| SHA512 | 7b7416f305116f2f8152792ab0e503c2b285760ffd471ca983256ba0ec999d9d1450723c4ce64127e15f238580338e36f46fd813ddcbe40c37096c06b3fbc734 |
C:\Users\Admin\AppData\Local\Temp\WgIM.exe
| MD5 | d8d6c115b8b0fa3e2c2d27b87f0a9889 |
| SHA1 | 09eb90b9bc5d2388f9c3f14a901c88e2d6d63c4f |
| SHA256 | 52a521d574ba2e98324ef096689ea20716f092808801787e8f857b78cc23e220 |
| SHA512 | 16ca6da6d01482300b4bfc06d725f624643cbc8433e520027c8efd473bbae0b83d894beca0ac0a975bf4d460a4400018c038a058d988a08aeed25b9d5d74ada9 |
C:\Users\Admin\AppData\Local\Temp\kMcY.exe
| MD5 | 16e830394f2c33af300b915095a3e5a9 |
| SHA1 | 77da1e425f03cff29ab039b64edcf27f406ab254 |
| SHA256 | 9c7f660938792efe8dffe26d3613bd3641bb8e163d3e2be0c09fbc4f0166c1fc |
| SHA512 | dd61a6fd64e643b2a40c6c84fe0a06a0d3b2482443f3f605ceebe5046f0ec696e674aa8670c84b745ab8a0dd587713d43b98f7333a82386617e2cc45e65eec9f |
C:\Users\Admin\AppData\Local\Temp\EgEk.exe
| MD5 | b69ae0fa18416c996a6a18ccb4ac698a |
| SHA1 | 18bae1e8b09f14d28b2bf1cfccd40352284d15be |
| SHA256 | 59ed2fa20bd6156c91f63df38aed91bffeac52908c0acb25f2747ebc3e58b391 |
| SHA512 | 3c5c5eed0b0323c11b3f8cd9bf4050bf05cbb345dbfb2c3a5800909d978501ecdadea6cec3a027902bef323ccaa82ab332de5fb1430861ebf7dbb5295512748f |
C:\Users\Admin\AppData\Local\Temp\mcwA.exe
| MD5 | e132542cb80ae0d173498ffb172aeeb2 |
| SHA1 | e6be6374b1e2db19d0b0bb94c4ec0e66063cc694 |
| SHA256 | 2dc6bc10e5ee215851f617780049d9b6d91f5a4cc7543a93e370c15bdac3bc30 |
| SHA512 | 0edfa0209308046c2ec3855922132fb3dfddf3113ceb49c60db9689276a69e231a790599a07e7654d7528585b43faaa15bde714df6fba7554d5557754e9a885b |
C:\Users\Admin\AppData\Local\Temp\sQYy.exe
| MD5 | 846337bd53b7c5ec7e974e038bdb71a1 |
| SHA1 | e6367783ce5d61608ba32381168449574aede3a5 |
| SHA256 | 9d3e76a8de799611f68f9986418766a745a7cbedd66597f2d6a32a8d5554a983 |
| SHA512 | 12201acf869f55f231c120c78deb9a6fecce5d42e8862dff86f59061686a145fe8ce6b1f8a1a6fba7d2ee790143185d960957464a5172d6ee114967ba4b21878 |
C:\Users\Admin\AppData\Local\Temp\kYQg.exe
| MD5 | 8890e1019344f253583849491dc4c1cd |
| SHA1 | 7a1aa57985093f0f7c5b675eeedbd91e4460744f |
| SHA256 | af3b43f65ec8adadd808ae5cd1d4c1e7e774ad066c2deeadcb016245f3d3c88a |
| SHA512 | 18bb3fec030cd5ea67f904cfa5348ffd0063b1c1f82c3a8e6d2ee8230ff5d0c42d0fa14ee5da5c6926260075e0af71a616b1f4201aee34f4c00e022e9745e198 |
C:\Users\Admin\AppData\Local\Temp\wwUa.exe
| MD5 | 5f9d40154b03274695db846e040dc460 |
| SHA1 | d5de19f771d7e467c6a818b661602ab35d07023e |
| SHA256 | adf85bbb1d840c3c917e433d37fc3def8f6ca0713fe267392dbbd18698816fd0 |
| SHA512 | 4a50eff6bd195be713c9c031b5a15a2e7053934663d00c8fa7b8f67476820289d7ddc3127ff5c67c488ee326594b1cb44a30e66df3ef5bff04cd87e47163e1dc |
C:\Users\Admin\AppData\Local\Temp\CwcA.exe
| MD5 | a65b9078bae76af0ebb9c93373ae463d |
| SHA1 | ef84410f76cd59f3f59722bda87767da0f0d52bb |
| SHA256 | 87308ff4e52ecdcb48ea71e681168f3a92afc4f572f24101a5a5a49e78d8e5c2 |
| SHA512 | 4e5e2b0a7507b4a4ffcf181be7f525d8aa64c715877d50d57163ab49474defb32ff67bf2de0772fdd13421a5f7c98be3d5815b1ce23fcc498df561fb3cee41dd |
C:\Users\Admin\AppData\Local\Temp\gowE.exe
| MD5 | 6bb39ace328f866c4d53b5044bcfd5dc |
| SHA1 | 9137d990d2cc7bef3b07d5ad054dc0d854f25e17 |
| SHA256 | e5b5e20401dd508a4696713af265acb5ae75959a68c4c874dbaebdea0b8357d9 |
| SHA512 | b9b1a88b48d9f3e6b25475f99448b3e900759cd57c45186109beeea00f06b729ddff0936cb3fd353c5274bc9e9f149518c8843b2d5414bdfcab83261166cbb0b |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
| MD5 | a94097a151a2b8b5a9d432d821d0b743 |
| SHA1 | 4fbfc8c309870b139216afcbcecc8c0b2173de1c |
| SHA256 | 6a325549f495b7f36d4ba927a2a7659af1bf9be84d255962df071c0c60249589 |
| SHA512 | ad48795bd7b84858330eb8d25293e20ee989494983861b4daddf549d35f15f7757e4bfc1d86607b1ff4d82aa14b1704c1dbccf6d807cf5619bbfd22ddcf14055 |
C:\Users\Admin\AppData\Local\Temp\IgwC.exe
| MD5 | 77d7fca9d092c7d18ce35a487d94e8d1 |
| SHA1 | 9ff21daff78582ddbdbf387173a359d19244a987 |
| SHA256 | 9e3ac2dcce6c1dd38e6f03fbe83e63277befaf827091fb4dffcc56b1e0632bf3 |
| SHA512 | 4bb3e8fad7d029f864138364adbf2d1daa44de650d8849b7cfb38521ddf83273a73ff77a29bd63a81d0668e3fa3041cb21c3dfb0ea9bfe8e7b2c16cbb4b2c319 |
C:\Users\Admin\AppData\Roaming\UnpublishDismount.png.exe
| MD5 | ae75cd8e240ccbd287f5a13470db6557 |
| SHA1 | 9710d991c8801863f798c2127725f80238cdef82 |
| SHA256 | 48b1c43635aaa7f091684d071d404abadef7a7f80bcc67788f5abac3927e7c88 |
| SHA512 | e388270e01c1dbafa599cee81dfa67818a56b02a9f965a531a517d008e6f74ecfa0df41744c6e1dc21a6da1aab62424fbbec258f32dcc71bb4390bdd1dddfb1f |
C:\Users\Admin\AppData\Local\Temp\uMMi.exe
| MD5 | e59c1cff4909247aafda27780b779990 |
| SHA1 | 006d83c2a529ce8734edc3583e29b3f620dfd317 |
| SHA256 | f3049e413e7db8a46f9caba1f10f658e757cc8303fe68e76770cb058a957142b |
| SHA512 | 551ae89a10a52672340b6d09a6681f28855a55597a2ee4e9ddac4ddf901374082100ec25422e71e439d2853d659bf5e91e90426c71930b2beee7254ff7dd5728 |
C:\Users\Admin\AppData\Local\Temp\mAAo.exe
| MD5 | e9c52fe02ec982fb7970ce60fbffaf5f |
| SHA1 | 090f92a20dbf8fd9d2129cea6e3810af185e5f01 |
| SHA256 | e894880df6adfd9b04fb94269da2c01c3b1e09466d12843b12f6af376124a69f |
| SHA512 | 32f7b903f9d15d5c7533999b412204ed12e7fc5c2a0127a5cdc44ca4e30e92fb9a53ba8d1363aa14ead75e87c58fe01be44ece1c10cc6cbc8218360ca950e0c5 |
C:\Users\Admin\AppData\Local\Temp\ScYu.exe
| MD5 | 5636beac61dbd366720623ffc4fe61ff |
| SHA1 | f6cdf09166b2ec8e033268ab4b5dae38a644f614 |
| SHA256 | cbc0b344492e160fad1225d5f2cbda4dd7c143ffd9c04bd28bbae5625a648e51 |
| SHA512 | 8d907661a1362e39654134c1037dbdc93fb63e6935548c4beb8904adb7ad1f351c19009fb5340afd30fb52fa9d937310e07b046657dd2dd1af0cca046c2341a1 |
C:\Users\Admin\AppData\Local\Temp\qYYG.exe
| MD5 | 01ad68f99dbf8fe8a98e6a4fd3f0d8e2 |
| SHA1 | 9cb525b2b2378e15dd8632986cfb28b723a937e1 |
| SHA256 | d746fa94383662ec59fa900594dd2d80719a67652c6552204a61aa96f3947fb5 |
| SHA512 | 74ea509df0a1a13ed72d590122d555ea2cac8ca373d08d797fbe6b2bf5bfb97bf9115125be7d11f37754c569bf5a9c7b497ff5188970d7b218012a2e8fa3d956 |
C:\Users\Admin\AppData\Local\Temp\AogE.exe
| MD5 | b673ae7fbb67d637204753de4d1732e0 |
| SHA1 | 7d7473e4cbff9731cfa6641a8c5fb773d1c18805 |
| SHA256 | 0359aa7a7f575c46227c677c1cfccb6fe4b4c1fb7f59ab1cbcfa475ad9653e51 |
| SHA512 | b5713d5996ffac8430cdfaef3444d42bf8a41d804572a3305cb06b513406dc143eb606d9b6a03955e7fa58bacd1aa3d27f7a4d348860b9537219e3c264a3828b |
C:\Users\Admin\AppData\Local\Temp\aIYI.exe
| MD5 | 2f2a046c27fe1d37db7617ab2c069d28 |
| SHA1 | 42c4f2bbf7d5a3f0e8a218152bebfb47609cf335 |
| SHA256 | da1f81672373d5ae87f27a21c0b6626904e5ef41b4758696b8e61ae0a289ecfa |
| SHA512 | deafb9baf77645e0cd0ac2e28254eeda0eaf91657624a6118fd496c4308577ea39ec984c3d276cb811eab4a8dabe17e151b2e5518e931f73046cfc1dff48427c |
C:\Users\Admin\Downloads\SkipConvertTo.pdf.exe
| MD5 | d8dcbd83eb5561080e411e22136dc4c8 |
| SHA1 | 19d03bc925592fdd9c24a799de59416669481604 |
| SHA256 | ddb57602556f108c9d60ad04e7daf6d2d1d92143c0100a064cc21cbcd1881914 |
| SHA512 | 760d69579191326b54224d2ab7e48319c38a7a74a7582dca212db84bc29dab9bb9038815a5bc18aee73c4c0108d37f482ec5920e2b294f2b815614f498d23414 |
C:\Users\Admin\AppData\Local\Temp\qsYW.exe
| MD5 | bde01009db7ec582f73cf3e1c1854751 |
| SHA1 | 38d47d6102727cd9c74277a424c943458ffb0db8 |
| SHA256 | 73452cb240eefcf7f8cdfc7b9da8de80d690d2b1a2e690d621a99d039e2d2043 |
| SHA512 | e3ae09fecabc641a853441c20e72c131cb99ddd2ad0798f2efd413f803f5d76251f479621a5335b76b86f53a3829fc0b36be6ea1d524cc7455642b88ca95eaab |
C:\Users\Admin\AppData\Local\Temp\sAsQ.exe
| MD5 | 126354ce5d6e0b4748c59ce783e61cfc |
| SHA1 | 5f92a32a8b41c2d2608ecdc36fd6d14816b0dfc1 |
| SHA256 | c7efc194eed07e8e5b515b747c82ad998abd973225d0780ba5848eb724787a8b |
| SHA512 | 6b6ef5248d5a724e2e8cc5d65d5c1c18a7fe344bd26e9beb1ede859e947c789ab416f226904753a8441a711ce020a0ed4631151633eab5da860eb44f5c561337 |
C:\Users\Admin\AppData\Local\Temp\CYkq.exe
| MD5 | 76ad4b9058d46078f1b9a96d266e9622 |
| SHA1 | 30441600982036ffb25cca43d64710a5775b8b7e |
| SHA256 | 14255c140f7100dbb742af2d32e01808611c83ae12a2aa79a69411d6a1116292 |
| SHA512 | 715da02e245fb3cab5829e0a3bae7494d274e23799b136f5d30ac645da78639fd73d5caecdf5028cf23e335bb37b1fa2ec5bfbae1fea48f79563279025a9e024 |
C:\Users\Admin\AppData\Local\Temp\Gwcu.exe
| MD5 | 295924398b1c640f5ab5c5205ac831d6 |
| SHA1 | ff686ac95e3f9bfdef72fb1494a93175a07e2a82 |
| SHA256 | d1a173b0e524a810062166d474961547ee35b50b5e2215c09dc6a30a07afe7ae |
| SHA512 | dfe095b71de3edb59621cd73724dac7f8773a0c0c3d1c5bf09dfb399935fd49380dd5c1578a496c13c872df9033153ebc498e31992c18ac2acade5b2c746ab43 |
C:\Users\Admin\AppData\Local\Temp\asQs.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\EwQG.exe
| MD5 | 148c678c28e65ab5a7415bb4a8298c9a |
| SHA1 | b22171095f16a0156e1fd35f66183e3f34bdfaee |
| SHA256 | 0f2e34f841f01e1ae7bd92fd16f1f4ba833551ca4a2a13bead020f461a41906f |
| SHA512 | 063ab8738e4c106998f8080e25bd251e2374ee389d462acfe95ce76974b82210847c4d2cd48e87c4f23aa4400d0b2e9a9b392d69f4e817c42e261feea73126ca |
C:\Users\Admin\AppData\Local\Temp\SMMa.exe
| MD5 | 809ec94bd5600708966cf0613b62ddff |
| SHA1 | 5fcb45659845d23d8e4286e9866b72eb47797609 |
| SHA256 | a199248003544daf57494cd46c7e72fad07ba0af040cacbb66bab52ab1803ada |
| SHA512 | cb6d1e2687b6c0b4af30af732d7c8af5027d916783b2c21b01c7e60ecea9ff670946f95cbb8a69764d7c8d1c2b84412c1fb100bf81e02f71b13cf3e2d70b4ab3 |
C:\Users\Admin\AppData\Local\Temp\eAMQ.exe
| MD5 | 7438a220f57f9fe7baa2c0bb3f40aeba |
| SHA1 | 4143133559b57505dc20c1ab2b6cd974dcdf0f2a |
| SHA256 | 5fa62598251c4fe5eb9cafe44683988d6e60bc3884e716d01ffc076ba995847a |
| SHA512 | 99ce95e8a8f6fdfb538f78db86de7281d79f32538c63a5abe605025152e0ac474f990c272222103e2c3d5452aa2ce4849453f535a06deb637b0d78a03e33c8cf |
C:\Users\Admin\AppData\Local\Temp\cEME.exe
| MD5 | 04e2189042b86228018833f38a07faea |
| SHA1 | 1b75c425807f9dc3f041c23887c714edd9700af1 |
| SHA256 | 00e5cce85d0455208acb368baa4d535d23bce403b78da0f666d1df3eda2f4871 |
| SHA512 | d245b036dabcc879932581bbc67f066f9c2b23233a7ace23dacfcdb2348e0e8cf4e20b98b751bd790884063fc5fa13c448f2e5c1f93bfbf80b7694c9ae555b32 |
C:\Users\Admin\AppData\Local\Temp\eQMI.exe
| MD5 | 72f5e9db2b2f89974cde9b0146117670 |
| SHA1 | 49a9c8207f5648d459bc83039ad8e413eed156fb |
| SHA256 | 877bfe872a2df502d9a28ca3f27fb4e875fc8f3f5b2641b4f66f01bcb88eb95a |
| SHA512 | bed76200e0d5e2a6cc0c8b39cfa6284be388963835ca67acd02b01bb2b4bccf03cc25077af8af6e8dd4bf9cf09e40985cea82e99b47550b3a7dc763745b3d919 |
C:\Users\Admin\AppData\Local\Temp\CAAa.exe
| MD5 | a2432266293a846f2a4b123aa1c4043f |
| SHA1 | 744a58259ac3d5bb2c579ba7d0fa9f7c2aac56e6 |
| SHA256 | 354b7fcaedd3ff48b70be41f089695a3ab859d2a023084b130ac7d270cff9e18 |
| SHA512 | fae06100eb3859270900b32c03344aac9ae506ecfee7908e25a9167f4f7c1b3ab0b466c2919e8cdb7bb7dac62a64a54633792e25bccd5be3fbec8818740950b1 |
C:\Users\Admin\AppData\Local\Temp\UsYM.exe
| MD5 | f45e6f952de5a8f274354578590508c4 |
| SHA1 | 9282ac8afdbdeb64ff96fdd0567e3c1fe01264ab |
| SHA256 | e4c8d5addfe2e19ceff368e5d1dbc8c462c8439c7b0185acba83ea2ce5354c85 |
| SHA512 | 3d392cdf7a41db8c58727e22b4fa25af8fee47b4d751870991c4a6448fde01faf160cba9a74c35cecf2ac17f88d3e8213690dde66551d8ed35a9bb12db7180ec |
C:\Users\Admin\AppData\Local\Temp\kEEg.exe
| MD5 | 2f4be766184c544bc1365a9e888b3dc3 |
| SHA1 | 7d3f01851cfe9cea4f837985cc6c1a5b75405368 |
| SHA256 | ffc89e9e09a71ae3bb54e99f7c238ac03c0fba38ee2a7a40a81d82e20a0c6dab |
| SHA512 | b82e28a1b01a3847827453deeaaaaa52580b6a94c2a09c759892c2e0f1826735165711b634692276add070c61ffb43ecf4d5a48681707780fecb45f40664cbf5 |
C:\Users\Admin\AppData\Local\Temp\IMsS.exe
| MD5 | 4cc44c43f1bf29367370600fdcb3ecd8 |
| SHA1 | db0ba22a02903bd536c86f1f036996d772fca45a |
| SHA256 | 3e031c7799f55a3d6e0abf9d822eb8725887c33058afd640a39213f74494b0ef |
| SHA512 | dc141c1fbb333411a09369d90f38d03b7731b5d41b477fa9e77a94227d0bcfb81c1b543c635a8808553239e774631eb2628740c6db4d686fa5f192c7492d5239 |
C:\Users\Admin\AppData\Local\Temp\qwEk.exe
| MD5 | 0dc0b504ba57578030fd816dd5f8a89c |
| SHA1 | bbf68dcc612a1c8603f264da7ca3ca694fba4ff5 |
| SHA256 | b35be6c544f70088df08a8ddbec29a1f4c7d87afadf328ab090bf8665cc8d141 |
| SHA512 | a35a584b974689cb05ba8c1ec2e62be879fa1c26fa6aefeeb67cd47a118244a37963bd0f629c31f318592cf76ee3b8219e4651d336ddbc695254e4c52120557d |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | b4f8a849d19fab027469f996aa4d433f |
| SHA1 | 819471088827652791f1ffd97d64c5d4e47f88a4 |
| SHA256 | 4c6dede18da4307e17c7b3bd738bb4722f4185eba778d22ffa23b02b16ceefdf |
| SHA512 | ce6a956733f0ea7a22f8bfb70dd6823332c083c808a1ecab018b7520ffe481c3e94e3b4aba408f35093c6a6e51f10444dfe27dace3e22c0f5d857001ff623bdc |
C:\Users\Admin\AppData\Local\Temp\ygou.exe
| MD5 | a7d065a076361ec2fa722322da4a423b |
| SHA1 | dc2b691a4772375685412f346b42e6edd4188d11 |
| SHA256 | a981e8f66955dd47329afe8b425593828f53297d590aa46adf05c44170fcc550 |
| SHA512 | a35a098eb4dab5605ec9eea3002c88b6933f0f7fe039ff03094834a7013f2ea7a297b4aa1d217cd2d666aef247036ec1f63f06ed68553719224100d9e4bab891 |
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | f2e10d5a5e4325e91697b30d1bba7278 |
| SHA1 | 6b094b9ea7f8382947d2e47160642e4e8bd052bf |
| SHA256 | f7fc5bdedffc0198a7eb070beca7af872ebdf4b0360e974189acc62edad51c2d |
| SHA512 | d7b7cbd90e220f8ce964ff944a3905d9d1134287eec22f6a873b883e25c906af76e5cafd4a41ccc698b414e5a7ca8d2fcd5f3146f4e9e3f669628b50ecd5d373 |
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | 6ca830b97eabd25fb4416c8130429571 |
| SHA1 | 82d5f462902cf041953b1fb075f195acd1c63a21 |
| SHA256 | 1ed9be2d88ca65dd07ba17694201e2e66313f94a369aed3ffa0bd66f8fc7597f |
| SHA512 | 34fd567ff2b26a3383d01249131c31262bde7ef7659764bd31fc496f001fd4e673c3d36c8482ba849344f607962f3779cfdc4a5e376a5f4dec3e08bff00ec796 |
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | ef6299061b4ca6ca13238dc9ee84a881 |
| SHA1 | 0dcf31bdee1d9a7537f791d97ea1663155873c1f |
| SHA256 | accb5c96b812ecf89cbe752acad5896095622947e70fabceb94202f65c6eaf7e |
| SHA512 | 44ee959aa0b19f3866569961530cfa9b52d1f681064171229a6cb852a68b060227091154e3cede70799c50a252050f324c82d3d300b3faae920d45f3566e651d |
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | bbbe33c3518347eda11b0dc60b1b85f2 |
| SHA1 | f0a566ec6fe28af6c6946a7ee96095d35cb6bdc0 |
| SHA256 | 90d75218cf04a0afc7279316cd18b0c9ddf6107a3fa227c296dba96268d125f4 |
| SHA512 | 642e80b3f9677e108bc88d847eae837583a6cab2a649ace9eb7aafaabe991dd7becc9054145fbaacf1be8df6eb65eb3cb80bd963cbf5ebe960cffe522f8b85be |
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | 11abc8d5d2584becce34e1e029262a49 |
| SHA1 | 0bdb8ef467fc1e8b868ec17fd91c8a13b6fc2323 |
| SHA256 | 513fa7d7234a0485d852d764963f5155e587bc491c102883b7814259c408d88a |
| SHA512 | b523126fefff3304878d8bc199ed5df4c37270c9bc0b9cbf1879454f8c52c5c33867d7dd3e5f631b1795c162f5d1cbf72493d43fbe69bb10e445a5fdca30c688 |
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | da4a7742dbab69001e801ecd64914e32 |
| SHA1 | a1170f6b77dea19b3c2b6862a2e7e01ebc097cab |
| SHA256 | a8a38f10ef83eb83516d28e0eead2f61704730de009efe198a8926cc589dbb03 |
| SHA512 | b8d751ff0dea061faf06ee104934e682134dacaeb136592cba8ccfbc1dfdb08f98cab1f39d3c06bbab75bfcd55f9d98e45b4fa49b9cc898136d320ed7848bd88 |
C:\ProgramData\TaQscUUo\jgsIgoUk.inf
| MD5 | 6cbf071a912fc640ecf2ed87fbfe6fa0 |
| SHA1 | 90074dc4faa903a75f44cc6d3ed2b5e36ddbcc0e |
| SHA256 | 2e3ffad5b8c89a0b99396262ed50377c06f1479b8de85bbb6c042baf5c40fb96 |
| SHA512 | c347e0c605bfd984865434d231ec59e637cd8a1a9e210625fd8c22d044781b7c916aaacc89456ccf57c71b83356a42cb378a7fc991db17660af717e1623f0dcc |