Malware Analysis Report

2025-08-10 20:10

Sample ID 250518-qdmyjsdr4z
Target 2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock
SHA256 66e35a160c927741102a10e7944d213c4d70e294988ef3692f6d04528c752759
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66e35a160c927741102a10e7944d213c4d70e294988ef3692f6d04528c752759

Threat Level: Known bad

The file 2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (88) files with added filename extension

Blocklisted process makes network request

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 13:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 13:08

Reported

2025-05-18 13:11

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (88) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Users\Admin\RKIYAoAg\mugokIQs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\RKIYAoAg\mugokIQs.exe N/A
N/A N/A C:\ProgramData\TaQscUUo\jgsIgoUk.exe N/A
N/A N/A C:\Users\Admin\RKIYAoAg\mugokIQs.exe N/A
N/A N/A C:\ProgramData\TaQscUUo\jgsIgoUk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zwIAYUgs.exe = "C:\\ProgramData\\rOMowAgg\\zwIAYUgs.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mugokIQs.exe = "C:\\Users\\Admin\\RKIYAoAg\\mugokIQs.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jgsIgoUk.exe = "C:\\ProgramData\\TaQscUUo\\jgsIgoUk.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jgsIgoUk.exe = "C:\\ProgramData\\TaQscUUo\\jgsIgoUk.exe" C:\ProgramData\TaQscUUo\jgsIgoUk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mugokIQs.exe = "C:\\Users\\Admin\\RKIYAoAg\\mugokIQs.exe" C:\Users\Admin\RKIYAoAg\mugokIQs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mugokIQs.exe = "C:\\Users\\Admin\\RKIYAoAg\\mugokIQs.exe" C:\Users\Admin\RKIYAoAg\mugokIQs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jgsIgoUk.exe = "C:\\ProgramData\\TaQscUUo\\jgsIgoUk.exe" C:\ProgramData\TaQscUUo\jgsIgoUk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkcEQgQo.exe = "C:\\Users\\Admin\\NqwwgYAY\\kkcEQgQo.exe" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\RKIYAoAg\mugokIQs.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\RKIYAoAg\mugokIQs.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3980 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Users\Admin\RKIYAoAg\mugokIQs.exe
PID 3980 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Users\Admin\RKIYAoAg\mugokIQs.exe
PID 3980 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Users\Admin\RKIYAoAg\mugokIQs.exe
PID 3980 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\ProgramData\TaQscUUo\jgsIgoUk.exe
PID 3980 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\ProgramData\TaQscUUo\jgsIgoUk.exe
PID 3980 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\ProgramData\TaQscUUo\jgsIgoUk.exe
PID 3980 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3980 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
PID 2192 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
PID 2192 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
PID 392 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\RKIYAoAg\mugokIQs.exe
PID 392 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\RKIYAoAg\mugokIQs.exe
PID 392 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\RKIYAoAg\mugokIQs.exe
PID 2908 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\ProgramData\TaQscUUo\jgsIgoUk.exe
PID 2908 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\ProgramData\TaQscUUo\jgsIgoUk.exe
PID 2908 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\ProgramData\TaQscUUo\jgsIgoUk.exe
PID 320 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 320 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 320 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4596 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2912 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2912 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 6104 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
PID 6104 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
PID 6104 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
PID 1588 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
PID 1588 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1108 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
PID 1108 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe
PID 1588 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1588 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1588 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe"

C:\Users\Admin\RKIYAoAg\mugokIQs.exe

"C:\Users\Admin\RKIYAoAg\mugokIQs.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\RKIYAoAg\mugokIQs.exe

C:\ProgramData\TaQscUUo\jgsIgoUk.exe

"C:\ProgramData\TaQscUUo\jgsIgoUk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\TaQscUUo\jgsIgoUk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMEMoMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Users\Admin\RKIYAoAg\mugokIQs.exe

C:\Users\Admin\RKIYAoAg\mugokIQs.exe

C:\ProgramData\TaQscUUo\jgsIgoUk.exe

C:\ProgramData\TaQscUUo\jgsIgoUk.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSMEsgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqkckYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCkIwswY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcowoIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSEUMAoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEUYswgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmcQAYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsoswcsc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUAcsscU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAAokcMU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeswYYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIYkoYco.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKAAokkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSEAUgow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqcoQQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOQYkoYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKIUgEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYQQYYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQEAMoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juUYQksA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiMwQgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGQsQwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEwgwwok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWwgkcoo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMQwoooA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQcIEUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKEsYcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuUkYEMA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCMgUYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwgMokQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEcwkMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcYkEYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWsUQEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKQgwYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIQswAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pocAQwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqQkksUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twQgEkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaUoIgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUgIAYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AoQQsMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGsIskMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMUMQgwk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWocUYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsMAIkoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgwEMMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auUkUIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wucsscIw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkcIIwUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImsgEQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAgoIMsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoAEAYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGYEQcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAAsQwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwUUIQII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQgcIUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkYYAUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcQUMoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIcgwAog.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUwcMwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EokkMEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyAMAcMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUEcIwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMowogUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOEsgcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUEoIQcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teoEocIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiAEMYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmAwUoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEQsggYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAIQccsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeUMUUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIsYgIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqUgMwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIkYwUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwQQMUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imwcYkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byAgocsU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAccYEkw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqQoMoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEwAMcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcQsYEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MegsAAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYUAgkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkcUUgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWQkUwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEsUgMAo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqUkMkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSAkMgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAUEogwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIwQoQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQMgwgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NckMoYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWcUkksc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYUswMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQMYYQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAAkYUgc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgUYAoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LicQggkU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIMkUkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAgcwEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omEsIscc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuAsAsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyQUgwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQQUMook.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGkQwkoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqEogwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgcAggUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcoQQwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqEAcIMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGAgwAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEsAowYM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKEAgMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuYMwkkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqYkEwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAkIUYMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAQgwMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmwYAEgw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUQMQcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiEgUUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKEwoskU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIUYgAss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCMoskok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOAkgIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

memory/3980-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\RKIYAoAg\mugokIQs.exe

MD5 6e100c9973412c8f66322e3a8db4865d
SHA1 8f86c8af7aa31372bb22b5baf8626b2d66de97ae
SHA256 33ee0d0768fef708a5749b7a68592805a5056ab49547a8d7bdaadc2b6552eda2
SHA512 6de88f3013a2223ddf6bfede5ff4ef5e5f19ede43d13878b3d421439694c8024a80bd09b74611453cdbbbf114f95da2553f5b4dd0c48a1a4666036f0f35210a1

C:\ProgramData\TaQscUUo\jgsIgoUk.exe

MD5 9c74d1354e2d1878e24f29b0c5a36725
SHA1 e5152c1938a75a813448f1de99222e025d3deb8f
SHA256 28e344865a0ccae1e789109c086aa6d85827cda0a81d125a2555ce655e75803c
SHA512 fdd3ba5d00135234abb38b35e71577fdf0bedebcbb0c1ce0d7b52496b2b7016ded02c48d699d1f7619c03602f5b36fc4daa4a73c07a22ea8796883b8217ab5ca

memory/5736-15-0x0000000000400000-0x0000000000432000-memory.dmp

memory/6060-7-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3980-19-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4596-22-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4728-25-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZMEMoMgg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2025-05-18_77dbefdf4110403384d3f64fdf4cbc68_elex_virlock

MD5 d3ab425b258de25415358116b5a507d8
SHA1 5f1cd2914105fcc99d08d0dfd07ab52cc8be2095
SHA256 5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5
SHA512 14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

C:\Users\Admin\RKIYAoAg\mugokIQs.inf

MD5 93ccc2d6b39da899e1c7bc5bef0c41d4
SHA1 8a9b6634b558a5054cfa22685a81ecdaca861290
SHA256 210c36768ef5987e1910693f0f8215d4022156e20cb5af6b00bd1fe0b3655ad8
SHA512 e5b096ddbb73fce31700e8b0692112f9026ccafe8dc0a1447210c2ce09fd1bd1c9b2ed40c91913b48d135fa2daa68f797839b8a3fee300ce840d5c094b697184

memory/4596-38-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1588-43-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1588-52-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 3bda66344cfc43324b0aebe47760ed24
SHA1 e841106c1d103f5f49a743f9d03d91616efe2e5c
SHA256 f988d0a47b1cb3276b9c935dd410be8c8f41c506dfd876281694245c3313b551
SHA512 b6e856de9282e02a75a69442b86880a59d352b4b23e172e8b0a8619eb962e5108fc35589e4f20dc0dc399e6ffe36cc582f46f87fe3e87150de2389d1c1367e87

memory/3940-68-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3744-67-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3744-79-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1824-94-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 748bd21fe4d5a5c9c6029f1ab0943ec5
SHA1 8f8427e58b021dbeabde0d631de0e36ab155d84a
SHA256 b07992cf93abc9339aa0833a1d19c42ecc0b3307bb5ec390a05664262940356f
SHA512 08745bdd25fa94371a7f59d3e3ebdc1d0760eecbd33fab47aa228da1a5512dc930666fd0af0eb4c31801809bf9b1cc31cfd41d352cc18c91642746d4a5374587

memory/3364-105-0x0000000000400000-0x0000000000435000-memory.dmp

memory/100-120-0x0000000000400000-0x0000000000435000-memory.dmp

memory/624-135-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4892-146-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2084-157-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 ab91ac5de51d52bae6b073c853acf3ed
SHA1 f02cfc3827b613d4a53987bfa3e5331aca716062
SHA256 7d387c6f57dab8fe0fe244b969ab772c2ce18caa0cfe2e0f808d52f2aa27e3f5
SHA512 0edcc439923dbe04879f8fde73653548f0822958c92c2bae1035ae8b32e6b8a673ab797dd69e1d55d60ee07fa139fca8c1dd84d404379363b192b4338d7cbb6d

memory/4220-169-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1840-173-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4220-186-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3480-199-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4852-210-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 9eb2c3a21eaff9d07252836dcb5eceed
SHA1 7313ae468aed4854b1fed416874b8988885a70aa
SHA256 19e9c9f4d72e49c9651f410d69023c77ab8af7c21c8c1edc4f3191fef891edba
SHA512 78cc4d064aa9ed0593cd4ae473d4605f960e99fc333ca3f38b703c3eeb638b6395c13bc6f719c3ace9efc1f5848d8d65568e1553d0fe42107c13cdbe607d0b23

memory/4596-222-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5464-230-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3008-240-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2592-248-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4020-258-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4000-266-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4192-273-0x0000000000400000-0x0000000000435000-memory.dmp

memory/316-277-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4192-285-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4768-295-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5668-304-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1180-314-0x0000000000400000-0x0000000000435000-memory.dmp

memory/888-313-0x0000000000400000-0x0000000000435000-memory.dmp

memory/888-322-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4992-329-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5780-333-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4992-343-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2004-351-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2264-361-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3620-369-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4924-379-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3928-387-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1552-392-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2532-396-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1552-406-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1272-416-0x0000000000400000-0x0000000000435000-memory.dmp

memory/6080-417-0x0000000000400000-0x0000000000435000-memory.dmp

memory/6080-425-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2192-432-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4664-436-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2192-444-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3564-454-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2792-462-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4684-472-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4176-482-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4120-483-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4120-491-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4632-492-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4632-502-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-510-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2544-520-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2608-528-0x0000000000400000-0x0000000000435000-memory.dmp

memory/452-538-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5744-546-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5168-556-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4112-564-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1732-567-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1732-575-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4684-585-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3716-595-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1824-603-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5836-613-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2416-623-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4112-631-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2012-641-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4684-649-0x0000000000400000-0x0000000000435000-memory.dmp

memory/972-659-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4492-667-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5352-677-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2864-685-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5748-695-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4960-703-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4628-713-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5236-721-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3740-722-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3740-732-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4064-733-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4064-743-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5096-751-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1104-752-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1828-762-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1104-763-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1828-773-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QIkk.exe

MD5 292918600fdf7faf86ec0fdf465a19ee
SHA1 e80f40f830352ea7ac2625d225f65fef2b566ab7
SHA256 9bef4b0754d1cbe39491681b330b580f62ed34563900b6c29b31d41116e66472
SHA512 c1b87450409b99998029e3640c95f35cec463c8e5dec8ef48d974ce2c8a50ae77c3fa9a5ffa933a6d289902b6d5011e8bd3f17365ffac0bb37ab8513f6070c5f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 29c2a928487ff80674a13b0b66b5cd64
SHA1 7cc6af30f535ecaf1d35c608046b4897b055c6d7
SHA256 42698f79dcb27e8d89f4938e28bea64c814c3fa292d12f01c328c7b5b469ae52
SHA512 0754e92eeeb353d7525d5027aa01ff49b2e11980ed21c7fbb3901cba4ebba2ef642c06f8b4b4af41203e5119fa0e98f00972066d9fea09974a18f4a8f74c0eec

C:\Users\Admin\AppData\Local\Temp\yEou.exe

MD5 56918ecec89aac2d9b742400f03da6ed
SHA1 15b011a35c1fef469bcaa8f8456f812a42b1b985
SHA256 5d6c834f08e3e108a72127e622dea3857988dd52e47136590ba3320f28a6d4be
SHA512 42d6748eb8363eaa818910b4713a628ef82ccda0be68a16a8c243913dee77acd1dc90e348d96b7ee615d3e529d43715321021a32d60fdd22058caa45586a5e9a

C:\Users\Admin\AppData\Local\Temp\SMcA.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\UEgi.exe

MD5 4ae18a26a53713ff2cc06b1206168ddf
SHA1 cd3640cc26d47303e5ec99abc2ae4df8b5e4f200
SHA256 917a8ff14147b555dba6b3af98c9c2d2a2edf0dfbb3467e532c8642276525fd5
SHA512 0c796b351cee424edd284e29a59eab5899813d5a5cf626fa5e209035660ca2c3f0c18897aaac939d6826143954655a826a322db79e76522f0c607ee33f3c9ccf

C:\Users\Admin\AppData\Local\Temp\QYMi.exe

MD5 f57246c5cbd1d15da73f838e11bc04ce
SHA1 9b3b4b46f7227be7ec16410b84ac4a98ec7c557b
SHA256 41dafcec15bb2085e781ed0c30ec9d10fa62b66f3a3088b2342beeca0542daf0
SHA512 0022fa8022c5d47cca8fea32b59808de9a2008825c931af7fbc0435f7dfb8b9f56afd305234458ac9eee4068ee537074a286360c85af91f87b3c773f5cd5a891

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 d17bc8f046f979c049e0ca7290276c57
SHA1 48282245d79540432f29ef368bc9c3ad658b57e0
SHA256 49892341a652194aaefe52ac1986f6e206204d59403eecb8480a49990fec52a4
SHA512 e2703aa7ec464b6e42bd5a79d420d9ea0cf902629937d8aa2f6efaaae241965dff0fd1845691a1783c54601c632a50c056c41f21d52c58ae39f237ad60106e81

C:\Users\Admin\AppData\Local\Temp\UIMQ.exe

MD5 1ee974e2ec9c7fdafb37d7a9fd2d8ca2
SHA1 59287989d1999237be77518df61e51c43425effe
SHA256 8e9ff3215e1a30de9d16dfe59f30a4e2505d55d434b30e6c00ff586c0825725d
SHA512 93ce3129e086cb732c6edaf0910d232ae94359a8cb39c49b57f3096da1a5b621230370792682170cb14dc1e3c117368756c1bcac51e1c8637fe958b3e985c54a

C:\Users\Admin\AppData\Local\Temp\EgMA.exe

MD5 c9af9cb711417f4b74205aadaabe3a7b
SHA1 63b2861d9963016589e7361c73938b391a43b73b
SHA256 8deb3399bdb80c37257acf08721cc410178373334f1998f490fbcac6b83c89c5
SHA512 f62600665c1c67d36c977b9f13dad955ed2fcee7ecba900fbb03aff81fee30291954eda1ac937fdebb3c737976dfbe57bc28dea9540293b5e97cd61fc558eaca

C:\Users\Admin\AppData\Local\Temp\YEwq.exe

MD5 256c9ea79a0af2027767e601facd54a7
SHA1 e5991803605e57bbf1dc2460a5c521f3874ba155
SHA256 2d4ef44e317199535a60967fb89a612a9c302f2680f788fe6b128e5ad208e841
SHA512 4c02bf3b939e91f116d479b4fa93c33c075082acd7dd50319a93a042baad91a3e5da72740305403abdc65963f379baf4ffc526f66e79f889f5be89263aab3caf

C:\Users\Admin\AppData\Local\Temp\kEQS.exe

MD5 2ed24ab640372fb6c1f5ed84da1186c4
SHA1 54f721d87d855155ef63902271b0a14cc923f27f
SHA256 87deacef067071041c86cbc113ef9ce17dcfc8bf1b1444f0497ae6527f9e555f
SHA512 7c3dedf3e4420041df594b46d5fc3eed101ffbbdf98568d56f6ec8db5fa187e8a7fb1d01d07ab8dcdcbb751f76bb06c67f6d364b81af4210978576c510b5e000

C:\Users\Admin\AppData\Local\Temp\IgUK.exe

MD5 87ec5b674c0c8e48cac9dd4131d66220
SHA1 e8448ed99c14a82a5b6959c4f7822ef7e3802c73
SHA256 52576861fe6d63a7b979f625e64fb4f3bb581adb038b2ca39e03fd890e2bac66
SHA512 9d52d49f62bd493fa1fced4b8b459d5267742b112a29fbd3ff5b8419b44482d70c3aae3f9b9bcc046658d9b8dba05158bada62611714b69915644b336a0e2fc2

C:\Users\Admin\AppData\Local\Temp\EwMm.exe

MD5 c9b7ea0665eb50007e18a309c9b14f7d
SHA1 c175873b4e6bf13766d5e94456e9998707371c9f
SHA256 3379eca4de6fe5cebed747aee7f7ce82283c797e1d9a24cc8921126d3c69f1a2
SHA512 4597ee331c59f2048de99c3004235d7e950864bb436e2bb8719b71bc7179200de82e0d71c2c4d621b4eb0b7398813218e59d3b84759dfc15299d128e4133f89f

C:\Users\Admin\AppData\Local\Temp\AYAY.exe

MD5 941a17abd4b186484050b5f7e3052868
SHA1 a7acd4d676829777722e56f453184b23e4f80d6f
SHA256 3c6cba153ba1468d61293f9b9f0ae1f63c203a4205caf403d97e2b8b6c8cd6f2
SHA512 2411157fb35c90e1ee809e065d193f97a2251d72b837a81abf2dea75517d4d0f944cd55485cc0aa92695a94884354ae52fa313b4f9cf8a41405e5e27b34d21f7

C:\Users\Admin\AppData\Local\Temp\iIoc.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\MUwi.exe

MD5 a64fecf1140ae146812a6639fcc3910b
SHA1 be375279aaf5c846415a5772da823aa92fba996f
SHA256 6bac1ef994bc9b12853ac8c6239cc0e07c50b67cad0b5dbcfc4c5ca76d970e57
SHA512 34770ffab312ccb2ddc14a0fc48ebdbeabf74e194f0ec632bdee66d4e24f23b66fe9538bc4fb2a8c191eb9e3c75da972c5745d63829f6f678c4cdedb273f204b

C:\Users\Admin\AppData\Local\Temp\sQMM.exe

MD5 0ba2539c948156d0684503eacad1c7d2
SHA1 e24e10b0274a817cce21a030dafbe0bfa44a536e
SHA256 53cfe0d2780542fcd24d6816e473d7730e51e3abb7654ce229e149903a80fe08
SHA512 770e0e41cfc7ad3c798f3bf59adbbab4c80837d04c37be8aa628e1bc485adc5257ec75ea7d9f83b68f83e0368bb50918683fb03b52c82755c37df51e0c8bf8e5

C:\Users\Admin\AppData\Local\Temp\YQIs.exe

MD5 8b093c6c23501d7c89b02839a21c54d4
SHA1 f4a7a7e3e799c0543c17a8afa43161758d984909
SHA256 17f4864c92e2dfc0a1434e78b92b57a0e0a69cb316cf58d3fbce3114a5330422
SHA512 065e723344f3d93bee0ae5739f4395c3078c7fed2b206986a56c0ae050d650f01884be2b65d3c40ca34a5e00671ab4e93c707ea54d4b2ecf9820e8c0ab578293

C:\Users\Admin\AppData\Local\Temp\SAgA.exe

MD5 62290cd20bbd8b3e835099d2d61a024f
SHA1 62d7fb7663d7f6ce54d276703473337c513106e5
SHA256 f36bf1a70d356176bcb291932759dfc678e4067039f3ed002f89108f156433c9
SHA512 a2b053014b159ac8cc0f02952aa3bb1789e2d645b5018fc37016747ee90d73ac17a8f0c164de980cd73292faeae138dec0fcf42d1ede2865f09d6798b0ffb155

C:\Users\Admin\AppData\Local\Temp\IUEw.exe

MD5 ac473619b9b9ca414c7d2b66ea218115
SHA1 48315e96b49e4f0c9e439ed2960cbd08c6678bed
SHA256 18e4c6ef49fd57132141df001c3eac6ce96e05d7b1ddc3f99e549e86d3125651
SHA512 e9c33ceb8c4c0552e5d8b4c5ff68e78995b2b10e015aab44a7328840ed4fb1df825bbb8f98e9a585419ef5d140889d574e63ee769344ceefcb2540eb816ce9a4

C:\Users\Admin\AppData\Local\Temp\OooE.exe

MD5 2ce7b1621ca4ef0faee8125c36c2258b
SHA1 408797e24514397f5805f5918cbda515c2dd482f
SHA256 2a7f5c1758c6648e5b38236d89c0eb1dc419a79f9ab05280e3b05dc46df80dd5
SHA512 b951dd911346f90e1cf2787fa69bae5bb8b08d24a0e8f8799244924cb8df9ea3f54f6bc91e4c40bc62e87fd708cbcf458d2ab11294c2613c837d004639fe36b7

C:\Users\Admin\AppData\Local\Temp\ugkC.exe

MD5 b099b295eb57090f85b4e01e7babba47
SHA1 0b088e731be75cc5e8d84569de01cbc44811009f
SHA256 0c6d0f7b457ca009d7d815b2ad928ef652eacf380006fef2bd7aebd28a98d27b
SHA512 b7be3b661fab07226095279b10f25065367d3589eaeb006233272654b3f8f77d60f01fd314d4d394612b32a5b82867566d7b7bab3d1df874c126c06d61c69883

C:\Users\Admin\AppData\Local\Temp\IcsK.exe

MD5 3e7353d31484b811a6e36ea56823309f
SHA1 40b95d923516979634379fabec922c049487a73c
SHA256 e748684183c4888fa8917adc6626b9792f92dabaf2a56794c79c3a548a4e6e93
SHA512 2f90850d9bb3226f2ee920ab40172db4f5601978c326d85e733b722de653447173c8f116a1d4f5054060c20a323999c8c8ba275dd010a4b355cd56e77754a5ac

C:\Users\Admin\AppData\Local\Temp\cAUw.exe

MD5 3b6a2d10b318d2fbae7c3dcad4536e2b
SHA1 79c193c1e1f07901c2a8c7ceac1653f3eb978e4c
SHA256 008cb8635fe663107ea48262d6908f39211a741af37e2643aacf65a851f24409
SHA512 b8174e9fb03e2c6cf21fd0a2f24f7e0293e2b2b69c5eb28a091395d0b91e6ac3e19428edfa62a9fe98f50edc80c6f65d2b7f1a5f49f25dd91b6b76c0915938bf

C:\Users\Admin\AppData\Local\Temp\oIkm.exe

MD5 3a18ac38d9115383553ee6348cce90f4
SHA1 79c162887a9d521a6f78ac5a41220e38f1f88b3f
SHA256 7df194c15f187ae8619be01b80dfacd8ed65f4c05ea3a2bbfe16f7981d0a5bcc
SHA512 c503c709f0899e6423fb9066477c5bc0114e2b329ebbb60e68943cd75a3fe057ec257125a68206d476487bc60e80b8520d9472313603be8a2ee55be92fcd0568

C:\Users\Admin\AppData\Local\Temp\OIEm.exe

MD5 6354e340e9b646712f076fe990454420
SHA1 9c196c41da405def40f4fb624e0b4e4afae39c96
SHA256 0be243e3a6ef64cd705962df6f688a2ab2716d3146d54a4a1a9c67cfb4051901
SHA512 87a45c7e536aa0d05fa9968e3d91fb28249003bf926525d609e86f70937357e7dd94d4e8e455f0b2b328532d06c7247d504d873165ca18d65e8b1d70d4577e4c

C:\Users\Admin\AppData\Local\Temp\WsYm.exe

MD5 22893cf3b748b92845fce1d7d97b10eb
SHA1 804088f7a62dc6dcc37054ac2529790c9437d72a
SHA256 4534ff661852e05c1096a15ec2a8c2c8609108cc56093780ba1ffc54b205ff44
SHA512 ebb277b3c021f92ef58cd1e616a1bd9596b1fd7f6f65a22a75c2e398ce28a63344eb13cfbdb98b150027dab28118cb483703e99af9f10562eb2d204e40556a80

C:\Users\Admin\AppData\Local\Temp\ecwe.exe

MD5 30660207a9e830a5342b9f3586c552da
SHA1 2298e4dc9038445518650960e8a06032e530df9b
SHA256 b7cd3d0a83278242c3d0211fc57cd3e2c964f7724a9e241d80e29f70706f12b1
SHA512 4cf48b18ef7e7d4897fc70d572f7e8c616f7a31f4a2d8285c6a71d16726c25ef3386bad1d1fff96f941d355c99544e2e38da3f1ab2b768eef22c812413a72265

C:\Users\Admin\AppData\Local\Temp\wcky.exe

MD5 9afdcdf728c642f3cae758854b961ad5
SHA1 f81b378848aed3c11145edc69a3e605b2c7734e5
SHA256 f0296489cc65f19f1b6f14e8c1ee0e3b0932b51d82232809f66dd9631fb12efe
SHA512 93146a58611ebdfccd9b1625c3bbde58d8303054e52fe4d8e89177db7f5c9c687f3763a4140660b733f31a53ddd3bb8387464e898df3be18affc079e8f8b200e

C:\Users\Admin\AppData\Local\Temp\KsMI.exe

MD5 86ce8daf70a51cf7bdc1f89468576a67
SHA1 7a59576d0849c24cd5f9246a8f79603c51126891
SHA256 f9e604c3e9eb0f4b3d669bc89567337777a58f30489c497d5f0f521dea18a4b0
SHA512 1f4e68241ae54feb247f71f07322085f227d40b2e513667f4e18bece20b1dbf01731d0b1d598a7fa6e3e300ac0acabf0fa9497509c8392e3a35924c1d90fbb03

C:\Users\Admin\AppData\Local\Temp\CcEo.exe

MD5 75a4cb3dfcbf6a37f09db79e8a7aa56f
SHA1 35bf61823b9b3f5aaacfcb4dbe802b869be6dc78
SHA256 67067e248e50ca9cc807a550c688de6285e444d558d33fba63c7b87295dd1470
SHA512 ac6241742a5b7dac3f0883368e57dfd1c039affc681849ec4f1169ff57919370d6d8b56be5fcf7376c4f4910787b4b444f64dcfaa66233278370db7f14498d23

C:\Users\Admin\AppData\Local\Temp\yAoA.exe

MD5 1f054bcf52399c1d3b8d702b2704875f
SHA1 ca859a33f50609cbef5f9804acfb47dd86bac64a
SHA256 3ad9845ae698e6b8d909c8aef2c78312836573cd71190302bef596ae560e0f9d
SHA512 bd5aa2821bd72cf479c2200d54cf2a5868826c860644a3c21d8af970f6a0ec686388d6455f3aa81d13c95317e0dff58acc27586cb6d3a40068a22db22d40b7ee

C:\Users\Admin\AppData\Local\Temp\mYMc.exe

MD5 7aa9e63e661802f6402d01a5e277e65b
SHA1 c073e5502ad9829d5e9e408f1302c0588487fca6
SHA256 497af011d8829bce226ea210a6c9480b08259361ec95ab82d955e25fcc3d3236
SHA512 7ca80b973a59d2fd8103b6cccf7048d7fe43ad793f529082f390da80d1e4e26b8792798504490a9a63f04c70f409ee2724dc2f9b723f5ca5b6d2e1c13d03eeaa

C:\Users\Admin\AppData\Local\Temp\YcII.exe

MD5 4195da76408b2a0fe48207ef87e5c3b4
SHA1 fc67d113a57053295faf32eeacf31cd6da0c469d
SHA256 5b2c533017dffc8efa567a3791cd460c2f3c79389220aed5b8c753bee5700890
SHA512 9ecd717091ab157af5528c530fb1c5144dbe54ed13867c7419fea67668863e04b7e127b704bba33941c4c5c8498cebebb6307f147ed6bdcda513ef75becfba6e

C:\Users\Admin\AppData\Local\Temp\IgEm.exe

MD5 e1b2c1ed697e086513d4895f8f6e1c5c
SHA1 5db282fe9b8b58073aafb0ea30d6b0d070384c0a
SHA256 27a548a5e68fdc42e84c330c23da14b83051091d8a2c80d313c04144c9d8a47c
SHA512 16e85cb50007d815e8bbcf46d0d07092babf333f372c34077190b279b04e8b8a8a88008220db613171fc74384e80ceaacc55ad51d9f72f6aba977b2035b40cbd

C:\Users\Admin\AppData\Local\Temp\IgYs.exe

MD5 790a6030b28bb6326f60b45026099125
SHA1 4739358898d837a74aae43a45c723954ed16b015
SHA256 921cee36d30355b62056590b8a91a6a43301f5aaf26ffe5e83e7dfcec4302432
SHA512 4cf88f01b693623b09eba5ec9bd4191b498bf5f5071b99d1004779e98c01244b263704c9b457080d870a0b146292211b8e73722d1c880c9c559b77b0b00ccd90

C:\Users\Admin\AppData\Local\Temp\mgkK.exe

MD5 8127e53eb237bdbfd97e16b75598e8ef
SHA1 ef3c5f32306ae54ad9fcd614c309f3cf94529cff
SHA256 794e09a4a74df08b442f11ad2f2149837aadd59f91ff9e84651b6635a1f0b890
SHA512 d386490c498950510262744776292a0ff46a08c77f2da2acbda970ac2b498e705f27647815d588100ca729747f0587b3fb2f959b3b9191ca24534c0b16f5e8fc

C:\Users\Admin\AppData\Local\Temp\QYoM.exe

MD5 f9e19311a8ef0213145d495c7735a7d8
SHA1 a2d9696e22fa9bd41e905a77089b292fac2639f2
SHA256 ef14538f101973b8021b135afeafb505dff166e206710bd3b090bbc3ea32f6d1
SHA512 75dfa1afeda84db40d3003612285d318493c187efd6a4f5af8472c30900e05118b8ad097bfa96dc349609cc4511d595ecde373115ee0613dd17adcc464469f3d

C:\Users\Admin\AppData\Local\Temp\wQQW.exe

MD5 90e683d91df501a6bfbaccf9ff02ceb2
SHA1 cd8bea7507257170c668eeb6ff8dedf925224063
SHA256 c63da826227bcd26bbe30026f89e927bbedaaed269aa4b4d39fd81e15e92c920
SHA512 f83b3bfdb92e14a7f30fc82c3c8c893bc7614bc7012d8dc71b11ce4c97ef5e97ebce7f28a155a20b5d23245edc179ea96ffe336f33762f3de82be764a000c885

C:\Users\Admin\AppData\Local\Temp\wQYg.exe

MD5 dc00ab1059b792be480f0433b548eb20
SHA1 2e033000ba5d5e7776507c67b13acf5b52b151ad
SHA256 308a5dd413066b28b9a94a2f8d79654bd103c72c6361bb36fd9588d4c89a7d5b
SHA512 2a8dbaba43826e7c698f0da3e4d45d73efc3e2f4159e1666f15b5b534a33866c1bdf70136985e8f7f58367aa7302fad3ad8ddc80a49cc03b4855c2e527248bcf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 df8e4fd61a4ffed80a9632e52899bc78
SHA1 32141d14f64b00f32b0d27061952c5f21abad3cc
SHA256 65dcd10eef91dbb9088288c7a5a95b6f11db24316ae0ff004f4a337733047ad6
SHA512 9024e2c39e12e22bc38e7b3be75ff00ec290ac159dc8d8b770edb59fd8e0ef0466962d2dd78baccbdf74c0f791161e4be923c2284b8d243f7ba30ec3619e66f3

C:\Users\Admin\AppData\Local\Temp\AgQY.exe

MD5 9259646bd630ee431c508773d84ad051
SHA1 21d0aebc99d211ac380d8ca593f84ad78d35c437
SHA256 ae123fa130f963600bc465c789a64b655d2ed69827919a45e4b7c70289843422
SHA512 58ddaafad5debaee269b8ea328acef5478337a3abc61b33a92c4d731c67b863ba74cfc1202e49bf5fbcf7f318f704f5643b692f9d719adafc61a1793930786eb

C:\Users\Admin\AppData\Local\Temp\MAIc.exe

MD5 d53397aef283d9abfef0b5b74bc23859
SHA1 fbc96eb57168c85f6f51c60f09594e7059348e45
SHA256 2f054019cdb876ccd473f5ba5843fe2ff7f0160ce41917ba44a9c64e996d7498
SHA512 2230468bac32a854ca28834b56598bd093366664a275daee0c1c0de294430c024e6b4c1ab0d9c56da55e00628f9089eec12f50a6aff2bca3f96b45a2900af51a

C:\Users\Admin\AppData\Local\Temp\eMIq.exe

MD5 201ea3198ceef789dedf71041ed065e5
SHA1 2a44efeb2b1a2c8ca2261b5f1fd7a36efa5608d0
SHA256 6b436953d36e4205de0834816b77b5b6dfc82d13a17fbecbe20c6da076a3ad68
SHA512 8c68490cf3ff845df86fa64a15b99e3d2f338d2937c0dd49f60f73a774468c0adfd5df9693107ad4dcc99477a710f68ac9ca219074a98ba13a8f616be0698902

C:\Users\Admin\AppData\Local\Temp\WEQq.exe

MD5 c66cf7d010953e662d71e99e6bfafac8
SHA1 230fd6bf2e6b0100d5f08f29df548bc43dedb6a2
SHA256 8ddaa221c2f8daeaf43e62d8f7546eafd2d43841a26b39101330f8920c331cc5
SHA512 0eaaa28fbc232018ab022493b6834b9ed70d84d1ef7b4357d28f047b658e25c96a96bd6ed2e9c6ca745d0176b5a8f59783390d8765f105c848821de1a360e2cf

C:\Users\Admin\AppData\Local\Temp\CksA.exe

MD5 0ab077b3f469134f9f2eb6311b003d79
SHA1 97e9294d4831212a5f854227f0d6c71f40391043
SHA256 9d786f1bf3f6ad0938703ec6e0ebe29f6696cbc2c39ebd50fa6d5937ef85c808
SHA512 a8c13d3d0e8a5e94715b684b29920d4658f4426a2038dc4eb9d8dd616bef904de9294a3da0fa44f52e1298bee85a65d03ea129816f90f68d55a9a134f3088839

C:\Users\Admin\AppData\Local\Temp\eIMc.exe

MD5 ea9a7342e0829f0b17ca7d7bea135c5f
SHA1 6564d6d55861f9c12309524a35f122b832489740
SHA256 35bbe55c79921cc2bbb4ae86a2ebcf33c73c2b1140bea1f8cb636fb41ae5a88f
SHA512 8b9afa0f0833aa6d1cfb25e9123e2d48a56c5bfb80e68f886835cde1d228d5f1bc4df8bd7443b781b5a43e22e5fe71c757518f01b6e4e7a5be9d7e66e1cd2c7d

C:\Users\Admin\AppData\Local\Temp\ywIw.exe

MD5 ce7d478f7df3514eb090d99dc68489ae
SHA1 5c2d5314dc60a0c77c377235295adbc19fb2683f
SHA256 2ee85add9b7695c1a8bef259f39857ad03b6b625d11b982cd6e0c3d5ad835fb7
SHA512 ec0ed67e26239a2d1c9f09fcfd943626bee5fca93aaf142a5294fc53e0f11ab9d4868affdb5c4be3b897b313f3c10aa72546d910dedc0a9c0942651b5c84a6c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 e03e8cfd73b06a56f7ed7057a35dc981
SHA1 066ff7790cf5d824bb1aa8ec6738beceeaf5fa9d
SHA256 e789ebdd5a0ca360e31587546ab72d27a871e93dd04ae75f8dc376d5c119255c
SHA512 d45240d23e2408d7cf590d9e7a525784cfa410ac78e7575b0ede56e7a855cf282343c17c60a52ee12a5e4f5045f6c7c1df4d5567dcb0efa1da5e73aa322b5388

C:\Users\Admin\AppData\Local\Temp\kUgq.exe

MD5 09599264983e111bcf8a797d35700ff2
SHA1 df2ede45bdfb4fc3a8a788fc240e48e6858a3db9
SHA256 b31438c8d2133e70b126b6d5986721af2ef52295b6e726a63490c23689c94039
SHA512 7d4397bbe69ef84f47843ce00f40eaeb037bbb9dd566b20eb2c661d8fdf984312a909078e913bda3d56692de2e7bcce1436dbd72c5c3eddf2c3865007e887eb1

C:\Users\Admin\AppData\Local\Temp\oYkm.exe

MD5 41d8317bb93bd4e49194b1e55b9f6cb1
SHA1 3a109ff7f8d80025839ade7eb3dad10f6667b046
SHA256 ae4800cf68f0fa81cc705d532845810477ea720b1b98bda245c9c6f0884ad2aa
SHA512 38fd239edeca1c48ebbb02d354cd2c81427898322700825118706d96f1673e74d0745cd9f3d11d837695ed9e1ad0e10f973d0fbb8232c9617fd3bb8041276808

C:\Users\Admin\AppData\Local\Temp\GUsS.exe

MD5 7fe86d4e4406cc9c7f8ead3ef43b1554
SHA1 f39f5aecc1a3e0a0b32783c0dbf89b63b3c7381a
SHA256 54c301576ef66ba5f2bcaeb3c8025fe6a4e5b01573a73f98bac1d606c9f75f52
SHA512 83ac9f96412d417cced23333be43a7249d08ba938ab0342b9b076df713dd220adc687e42b130b5cbf7097ac77dd06b06cd09e54da1a07ff1b14f9a49f744a3e6

C:\Users\Admin\AppData\Local\Temp\WMoA.exe

MD5 12e63ab566020708989e51e551ccee69
SHA1 f07c6d25533748809796e8cd7c095b951926dcf1
SHA256 a4bc6db6c9d5090b8c93c5dafe709399b62651133183bfc1a2eb17f3700f0d46
SHA512 6a9fb5f979ba2bed7f42a003af0ba2f932767c32a7812f765779f2811081a7f7047cc2ad7d65a69ce159d126b7810b27a9a1a36ba9a7c18511131e37a45cb4df

C:\Users\Admin\AppData\Local\Temp\kUEq.exe

MD5 167b4aaca62e15b9407b32cee7dbd18d
SHA1 4ea7c735b56fab1bfd2c2b71969945b919ec7758
SHA256 307c951dbfbfc006b2fbdce5c83a8bbfc6e5e34cfb44bd5f12eee4865f814a36
SHA512 cd09970bcedcff121a38f0fcee189676fad8795d0ac85f4abad287a7e736ca44aae6912dfa885d43321a2a1c44880f31393ebf25cb18c98d0fb512473020ac12

C:\Users\Admin\AppData\Local\Temp\KYQy.exe

MD5 c00af1d38f106e90621cd576f6ab1b28
SHA1 fc3747c48e12ca30b32d877673cc298b7e524176
SHA256 7cd67fecbea98b97ae7f98ba4db56bbd15ea7da268f6e65987947fb2718c91fe
SHA512 2de36481a44a16ff6f4db89088b63334fc66f9a7b147f4e17eb9724c657925b5b69199fa8b59a480cc4daab9ad1d75e0289a96cd7d4560abae284ae2dbc2c0fa

C:\Users\Admin\AppData\Local\Temp\kcMK.exe

MD5 d61bc8c1685e3c1be9c80a0e801ebeee
SHA1 ac6e04c7e727067973b813ae56e221bac3d2e91c
SHA256 7f2149c3638471c144ab61a8c0b6f5b0e73f4f0bdbc67c9112c1c696c7d7f8e4
SHA512 13db976e05bcb365bbbb9f5ac369fc1af96ecccc133ef1e788d610efd31b4b17bfc0a8a4f6369f35eb45915b85e02c3e3363be874b26eccf2651e85d46e9136f

C:\Users\Admin\AppData\Local\Temp\coAy.exe

MD5 ed47aa0f0639f78b2b76ef5520392f8e
SHA1 35cacbfb1a988ae48ab306a07b9268c27be4a26c
SHA256 1c47fd6c9a99da2b890e9484bc2e991a0442022a341a83ebe328c3a6616ec6b7
SHA512 2ca8d6ec4f0338feb9323b8bd51fd37931a3dd372e571a930e8757164b0c4320ff8db94789dc05f32b4f53b8565c81e9a8eccd9ee92c7366df8c1a3774a81ebe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 209b159b853ec0047e9da1b55667c02b
SHA1 55400fc3af81813eb0848d61911307b3b8dd4191
SHA256 011bf5d5e1d0963d4d8c6f9271fb8b584f012fbcf8fe3d4c547671696765084e
SHA512 aed6deefe5cc3dc2177b1825d5349853f6318222c6fc45c4623bef39dc045725620d5c146ad4e872cdf3d8b81badd3707a8b3a961f5bf4bcda018a6a1f78efbd

C:\Users\Admin\AppData\Local\Temp\sMMM.exe

MD5 e9f84979dd949561476043bbb4cc8aa5
SHA1 efa0c573952ffc316b8fed978a286759f57f0253
SHA256 7f6d4875eac68d30ba6f84c160b28ac22449822c7280c5ecf74a78fa19f6b97c
SHA512 7bab880c9b8901316c319295d223638049f4c476f1bb720ba8f277fc7803f5d2ba0893a5fc0a66ae9935d51e87c72738ce52fcfeb4d9bb1c7aaf61d747c13807

C:\Users\Admin\AppData\Local\Temp\EQwg.exe

MD5 44a9533075eaabf7859c539a22b69b12
SHA1 10107b76cd15e3e5780c7106ab4d6d00a80a96bb
SHA256 5682e19c6be52ae3ff7c736d4c781ca4062ff72c4d9a17056f4b8c1b0318e544
SHA512 f341634f656c51e4e383ae2b5f3da91332a4ce9cbe90e22c31c32de057096777febf9e357d9094aeb8aca91914befe27bc8f39c278a491be23b6589e5ec1822e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

MD5 018842befa3663c13edf6d52d1358d8e
SHA1 944dae64f0d39427c720b6da05b5805707aeb61e
SHA256 7c5246712592985f2a248fb7e93911043b45c763c79a5fcd7bbc83d0f4fc2930
SHA512 b39ee13a5518bc56338ba012eeee6c6cc1fd427dfeb123afa75dd2acb08e577f5077fd8541dee29d95256005ec876c61720de863dbca9e03337d196482faf13c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 006c3091344d0034aa5d87ee111b0681
SHA1 6b8d6a8b5016034bd376305aa844363f38fd211a
SHA256 c97eab9e765fb71b8fd5cceba5b0af9077edd85bf39e53b80602c76b9bad1c10
SHA512 ac0b16f27b7a563fed6ceead90f34d46fafd7e86de87a8c8d12ff04e2c96036198b538478591b40f1a16a62faeada91e98902fc220ca097d07dccaf054eca77f

C:\Users\Admin\AppData\Local\Temp\YEgE.exe

MD5 fdedb30fd9885b4be5e8a4b414eea2b7
SHA1 2df4663d63f4dd3717d54dee224375c93b626069
SHA256 d743f2192195511500235d71c252aaf5074896d4e7ff762bf42e3e9b3808cbce
SHA512 621126f6caf98da46b26821d1b255f2b95b4e051b8d29db2eb4e10d07b082fa082a0816da7c30faaf62dff47df61b6680fac46d923820b61b76807b5ad8a572f

C:\Users\Admin\AppData\Local\Temp\Gskc.exe

MD5 c9b7e62b05093254a3629c22d9e79879
SHA1 95852a6b0f322e51d47dc860da3d352c08b39e5b
SHA256 3f9cb94d36060a905496b93ecc80c0c75e6c02fe72e9598d8269442037e116d9
SHA512 0873af02c60ffad816a2ca792f555d9d5bdd9579857fc05d83fb5c3a1e127a8f65818414c3408a64ce925e23dec96f24a559d61995bd215be1a333e2cb4d3d63

C:\Users\Admin\AppData\Local\Temp\AEci.exe

MD5 8d926641df643a2c5fdc6516865d8043
SHA1 24782a3652f8b50d810f55c5170c92be650daa33
SHA256 9c88d7f5eab25799e73cce8ccb72c752a12afcbbc3514a36b5f7de0c15b25f04
SHA512 b34cb7be3fcbdb3d895c21386dbd307dec7683848b14e7578fdec2baebca02e12e72cccfa46a8961c2083ed3d25601d5a3d041cc93bd9328d791655e3371a41c

C:\Users\Admin\AppData\Local\Temp\usgS.exe

MD5 9b10b093bc01ca46c87117e725b4c7a4
SHA1 1bdcb6fb9204d4d9994189b2cee598e9e796aaf9
SHA256 d8eeb318b3b17e5f85b6d28dc5c5547b4e93a605a6f3d8fb581ee3ea3ba383a5
SHA512 a23c542c9fb627d352611c022c750936aaca6ef1894b852754824eaf007edecfc5fec5f5c1d2e4403529f5cda1a4be47146fdfc7b4657b6dcf1d1133b98f5791

C:\Users\Admin\AppData\Local\Temp\eMkG.exe

MD5 cc7f25f7ebd413b70ca6d01489f84451
SHA1 e02781322f1585550269e1f511a4e56d4f426113
SHA256 0037cb5b3d368ceeaf8ae0df340eaeba8420e33f96608a0981730c0cd6f2bc10
SHA512 07d44a28e60501890f9d965c3e153dc4d35cf595f033439dd6bfc46e0a699a6718950791ccfed5df55975c6e40ab9fc20753f2d8177361653cb9ff79f90376ac

C:\Users\Admin\AppData\Local\Temp\MQEo.exe

MD5 72fe45d6a85530f986136717a31e3fbb
SHA1 13358b91647fba002764ced58a0a5c24ee4a85c2
SHA256 b721be29dc2e6dfe194bde18446d5e3a586cafde3bef55472b58d07900d8bf86
SHA512 78b39e31af2c9e71943e009b2eb64949688457df4045a7f690de964029de187b8c77ce404e83107866b3c2e26d973a2a3782628cc32170e1c3df5d163038d090

C:\Users\Admin\AppData\Local\Temp\sIIk.exe

MD5 b49af27a71e0570171649fbb4ac97f5f
SHA1 d2b0f6d78af41b90df4db324744ae5270c8dde63
SHA256 a30d5e2eaaa76aa14cff5a57b2887fa04a913765652476e2bc98468d5ca6bd89
SHA512 3c1b959da674a7c25069355a392e4b4a6b5c9a1e2d06f83520cc371d607572f7bbad12cd3690990067c6c6218d77e01325c567b686f3119d6dc0d953dd07cfe5

C:\Users\Admin\AppData\Local\Temp\yIwc.exe

MD5 4f4fda6e7705a12ff8b8a1df4847c82b
SHA1 bb5112da09794ded20f2dec9e167a069dd59b079
SHA256 fe3a16aeee8e7dd1179a872dd08506f73e60ac2c52b96480887dbbc5eb4afda3
SHA512 b97db65ea5bcb6e828f5b16525e1aae2fd03a4aac6f8b96f406f0356609d0a286fd679c72edd4b9e995e02d27e2404ce64994002bd9cf897886e790a005dd5ad

C:\Users\Admin\AppData\Local\Temp\ogwg.exe

MD5 75a2db7583ec83e487bece4393c8a11e
SHA1 ea51c9bfb82f37a24bab845f41b60871dd43e5a8
SHA256 35203b393d691a4d6526e8b663e7449a98163e42c97faa9df08e7e3013bc049a
SHA512 edb98ff3538385332593d32073d5afad5e09ef881c90ad06ec6cf004d200a2aa5b832ca18fc96cd4711d762e8a7107da0ca7de58906c263e44e9b27fa0da9e3d

C:\Users\Admin\AppData\Local\Temp\ycoo.exe

MD5 1a2813430a78ae70ecc0b4708a635e9a
SHA1 c6701b13626b0be6ed9debc9eea0604f523e605b
SHA256 6b44755511329fa0240ab7b5bef3a9c9269a7c0d8c146d39f284c4f06e4e0c3d
SHA512 f81d46727700431d5246612f936d43b5db10ad03b37d7e138bca7b7e82bf762ea078fe9b7782270d3248e4fd1edc219d9ee13c4a0fc0598bf531fa51883de5a2

C:\Users\Admin\AppData\Local\Temp\EYUC.exe

MD5 7faf1898013fc8d6c14f4dc4a9f078b4
SHA1 fb66a028833ed93ad25f77c704482fea1c573c2c
SHA256 4b50f53fee71133dea902882a3e2c38353256166bb024dacc27801c7e0c61a2a
SHA512 e7d6a180ab02c4a2e517117499a74ff6bfed96f3ca4d85ea0204ed5da2204bd34018c8ca78cada3ee8b1d81a6a55a652327542093d097ad57fc0d864e53f69b2

C:\Users\Admin\AppData\Local\Temp\oIYU.exe

MD5 282571a7b6ccd5e780eb23ac05cc3f6e
SHA1 6f210f8fb486630c9352540948a111687ce759d3
SHA256 bdd5e56a1c526664f787b21913cafea2bfcb2f96a6b69b99eb7e14b5ac2adbe8
SHA512 ebec0033e703a3f713695b2b995c6ccbad211a645750fe6d01f26a7baf4c2a177f1454efb31e5ec4d96e34d2e0fa4b28acb44ea2bd5b18a29d7a04cff339d9d9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 69fe5fbb6e7c1d84ca4e208aca13faed
SHA1 ea0fd87e17c4b443ef32495e957f5e7458e99d1b
SHA256 489edceaca037a9c76c97a3248d1f0d75654b48884b737c2668e6a1558383cfb
SHA512 cc524b22c4192784e89d0f81abab8e9ddc00098fd5e22aa89c749b82a40e8e4f858a8f064550d89ae523405276f8986b04a4fed7cc8ac8cc62bc0d6a4358eeee

C:\Users\Admin\AppData\Local\Temp\mcMg.exe

MD5 6ac2ae3a63140c8cf2c044e56657adc0
SHA1 cd94222a04c2006bf0de97f4a7e9e597ae88e58c
SHA256 c98d2e960e0418516e3747364bca7691ee55ebfa93244a3dbb8c2fcd5586fa17
SHA512 a049d96f5dbff7a5af70e21f53bda373397a27eb404419a45e0a1daf8b92bfe62e2f8c5eac89a6ebe6e65ee1fb33dc892648590fe3af03dc9cf8156f62607508

C:\Users\Admin\AppData\Local\Temp\GUsW.exe

MD5 9c7ee16993ec698b9484fd17e371af63
SHA1 4a5ca47e476da51d33f8754d18124f6e0f5af03d
SHA256 729f0d3c78b2def730f1e3c4ab110d3518c18e104117075249bf188fd4705b91
SHA512 2c29e978d32254f91aaee514c0d5340fbeca2a3a4bad5e6eb67f55ff0de1aea1d89134f36f533f4c13e4f75e69bcbcb81c683176f1b0e316f4e4c01792a92908

C:\Users\Admin\AppData\Local\Temp\GEIs.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\SUow.exe

MD5 a09d10de774a014825cfd0d0a05e5f63
SHA1 6ca7e1ca0b028d6982173d7163c64d42e985f2d3
SHA256 dc91f9a60f58c05babc1047310c78d9282e58cd13a5baea8de91106046c5d6f3
SHA512 e050a449909b8e80460afca439f1ad56cbffc21ee9ae09bd25608829bc45be8dcd28f06df4608de6c01857b513e8061609786d25e87e5864636786a3c030e837

C:\Users\Admin\AppData\Local\Temp\OAkc.exe

MD5 3b9657537f848997821f66b9a93fb574
SHA1 d2403238de6d45f91382bae09839255ecdc31d33
SHA256 819fe968d3bd359687ea6889d5e2879a3ef32f58c7f1cf61771ab5c150998b6a
SHA512 decefdf7a46aa955c0f9f4bf5b39d388be3c060bf7e5bbb3c0442938e06f10e8168d53b088c42ec25f647ce13a846479e4a26694f5886db63548a35f70b36e75

C:\Users\Admin\AppData\Local\Temp\qsAK.exe

MD5 97e03f72c7e82751802d8d60efc3f323
SHA1 a465a6e6d8e671aa3c4c306e329d3accea397be6
SHA256 ac37943fdcfff4982e46303fbdd463fcf6eed5dce0fe9b03a8b57fdda44e75f2
SHA512 7b7416f305116f2f8152792ab0e503c2b285760ffd471ca983256ba0ec999d9d1450723c4ce64127e15f238580338e36f46fd813ddcbe40c37096c06b3fbc734

C:\Users\Admin\AppData\Local\Temp\WgIM.exe

MD5 d8d6c115b8b0fa3e2c2d27b87f0a9889
SHA1 09eb90b9bc5d2388f9c3f14a901c88e2d6d63c4f
SHA256 52a521d574ba2e98324ef096689ea20716f092808801787e8f857b78cc23e220
SHA512 16ca6da6d01482300b4bfc06d725f624643cbc8433e520027c8efd473bbae0b83d894beca0ac0a975bf4d460a4400018c038a058d988a08aeed25b9d5d74ada9

C:\Users\Admin\AppData\Local\Temp\kMcY.exe

MD5 16e830394f2c33af300b915095a3e5a9
SHA1 77da1e425f03cff29ab039b64edcf27f406ab254
SHA256 9c7f660938792efe8dffe26d3613bd3641bb8e163d3e2be0c09fbc4f0166c1fc
SHA512 dd61a6fd64e643b2a40c6c84fe0a06a0d3b2482443f3f605ceebe5046f0ec696e674aa8670c84b745ab8a0dd587713d43b98f7333a82386617e2cc45e65eec9f

C:\Users\Admin\AppData\Local\Temp\EgEk.exe

MD5 b69ae0fa18416c996a6a18ccb4ac698a
SHA1 18bae1e8b09f14d28b2bf1cfccd40352284d15be
SHA256 59ed2fa20bd6156c91f63df38aed91bffeac52908c0acb25f2747ebc3e58b391
SHA512 3c5c5eed0b0323c11b3f8cd9bf4050bf05cbb345dbfb2c3a5800909d978501ecdadea6cec3a027902bef323ccaa82ab332de5fb1430861ebf7dbb5295512748f

C:\Users\Admin\AppData\Local\Temp\mcwA.exe

MD5 e132542cb80ae0d173498ffb172aeeb2
SHA1 e6be6374b1e2db19d0b0bb94c4ec0e66063cc694
SHA256 2dc6bc10e5ee215851f617780049d9b6d91f5a4cc7543a93e370c15bdac3bc30
SHA512 0edfa0209308046c2ec3855922132fb3dfddf3113ceb49c60db9689276a69e231a790599a07e7654d7528585b43faaa15bde714df6fba7554d5557754e9a885b

C:\Users\Admin\AppData\Local\Temp\sQYy.exe

MD5 846337bd53b7c5ec7e974e038bdb71a1
SHA1 e6367783ce5d61608ba32381168449574aede3a5
SHA256 9d3e76a8de799611f68f9986418766a745a7cbedd66597f2d6a32a8d5554a983
SHA512 12201acf869f55f231c120c78deb9a6fecce5d42e8862dff86f59061686a145fe8ce6b1f8a1a6fba7d2ee790143185d960957464a5172d6ee114967ba4b21878

C:\Users\Admin\AppData\Local\Temp\kYQg.exe

MD5 8890e1019344f253583849491dc4c1cd
SHA1 7a1aa57985093f0f7c5b675eeedbd91e4460744f
SHA256 af3b43f65ec8adadd808ae5cd1d4c1e7e774ad066c2deeadcb016245f3d3c88a
SHA512 18bb3fec030cd5ea67f904cfa5348ffd0063b1c1f82c3a8e6d2ee8230ff5d0c42d0fa14ee5da5c6926260075e0af71a616b1f4201aee34f4c00e022e9745e198

C:\Users\Admin\AppData\Local\Temp\wwUa.exe

MD5 5f9d40154b03274695db846e040dc460
SHA1 d5de19f771d7e467c6a818b661602ab35d07023e
SHA256 adf85bbb1d840c3c917e433d37fc3def8f6ca0713fe267392dbbd18698816fd0
SHA512 4a50eff6bd195be713c9c031b5a15a2e7053934663d00c8fa7b8f67476820289d7ddc3127ff5c67c488ee326594b1cb44a30e66df3ef5bff04cd87e47163e1dc

C:\Users\Admin\AppData\Local\Temp\CwcA.exe

MD5 a65b9078bae76af0ebb9c93373ae463d
SHA1 ef84410f76cd59f3f59722bda87767da0f0d52bb
SHA256 87308ff4e52ecdcb48ea71e681168f3a92afc4f572f24101a5a5a49e78d8e5c2
SHA512 4e5e2b0a7507b4a4ffcf181be7f525d8aa64c715877d50d57163ab49474defb32ff67bf2de0772fdd13421a5f7c98be3d5815b1ce23fcc498df561fb3cee41dd

C:\Users\Admin\AppData\Local\Temp\gowE.exe

MD5 6bb39ace328f866c4d53b5044bcfd5dc
SHA1 9137d990d2cc7bef3b07d5ad054dc0d854f25e17
SHA256 e5b5e20401dd508a4696713af265acb5ae75959a68c4c874dbaebdea0b8357d9
SHA512 b9b1a88b48d9f3e6b25475f99448b3e900759cd57c45186109beeea00f06b729ddff0936cb3fd353c5274bc9e9f149518c8843b2d5414bdfcab83261166cbb0b

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 a94097a151a2b8b5a9d432d821d0b743
SHA1 4fbfc8c309870b139216afcbcecc8c0b2173de1c
SHA256 6a325549f495b7f36d4ba927a2a7659af1bf9be84d255962df071c0c60249589
SHA512 ad48795bd7b84858330eb8d25293e20ee989494983861b4daddf549d35f15f7757e4bfc1d86607b1ff4d82aa14b1704c1dbccf6d807cf5619bbfd22ddcf14055

C:\Users\Admin\AppData\Local\Temp\IgwC.exe

MD5 77d7fca9d092c7d18ce35a487d94e8d1
SHA1 9ff21daff78582ddbdbf387173a359d19244a987
SHA256 9e3ac2dcce6c1dd38e6f03fbe83e63277befaf827091fb4dffcc56b1e0632bf3
SHA512 4bb3e8fad7d029f864138364adbf2d1daa44de650d8849b7cfb38521ddf83273a73ff77a29bd63a81d0668e3fa3041cb21c3dfb0ea9bfe8e7b2c16cbb4b2c319

C:\Users\Admin\AppData\Roaming\UnpublishDismount.png.exe

MD5 ae75cd8e240ccbd287f5a13470db6557
SHA1 9710d991c8801863f798c2127725f80238cdef82
SHA256 48b1c43635aaa7f091684d071d404abadef7a7f80bcc67788f5abac3927e7c88
SHA512 e388270e01c1dbafa599cee81dfa67818a56b02a9f965a531a517d008e6f74ecfa0df41744c6e1dc21a6da1aab62424fbbec258f32dcc71bb4390bdd1dddfb1f

C:\Users\Admin\AppData\Local\Temp\uMMi.exe

MD5 e59c1cff4909247aafda27780b779990
SHA1 006d83c2a529ce8734edc3583e29b3f620dfd317
SHA256 f3049e413e7db8a46f9caba1f10f658e757cc8303fe68e76770cb058a957142b
SHA512 551ae89a10a52672340b6d09a6681f28855a55597a2ee4e9ddac4ddf901374082100ec25422e71e439d2853d659bf5e91e90426c71930b2beee7254ff7dd5728

C:\Users\Admin\AppData\Local\Temp\mAAo.exe

MD5 e9c52fe02ec982fb7970ce60fbffaf5f
SHA1 090f92a20dbf8fd9d2129cea6e3810af185e5f01
SHA256 e894880df6adfd9b04fb94269da2c01c3b1e09466d12843b12f6af376124a69f
SHA512 32f7b903f9d15d5c7533999b412204ed12e7fc5c2a0127a5cdc44ca4e30e92fb9a53ba8d1363aa14ead75e87c58fe01be44ece1c10cc6cbc8218360ca950e0c5

C:\Users\Admin\AppData\Local\Temp\ScYu.exe

MD5 5636beac61dbd366720623ffc4fe61ff
SHA1 f6cdf09166b2ec8e033268ab4b5dae38a644f614
SHA256 cbc0b344492e160fad1225d5f2cbda4dd7c143ffd9c04bd28bbae5625a648e51
SHA512 8d907661a1362e39654134c1037dbdc93fb63e6935548c4beb8904adb7ad1f351c19009fb5340afd30fb52fa9d937310e07b046657dd2dd1af0cca046c2341a1

C:\Users\Admin\AppData\Local\Temp\qYYG.exe

MD5 01ad68f99dbf8fe8a98e6a4fd3f0d8e2
SHA1 9cb525b2b2378e15dd8632986cfb28b723a937e1
SHA256 d746fa94383662ec59fa900594dd2d80719a67652c6552204a61aa96f3947fb5
SHA512 74ea509df0a1a13ed72d590122d555ea2cac8ca373d08d797fbe6b2bf5bfb97bf9115125be7d11f37754c569bf5a9c7b497ff5188970d7b218012a2e8fa3d956

C:\Users\Admin\AppData\Local\Temp\AogE.exe

MD5 b673ae7fbb67d637204753de4d1732e0
SHA1 7d7473e4cbff9731cfa6641a8c5fb773d1c18805
SHA256 0359aa7a7f575c46227c677c1cfccb6fe4b4c1fb7f59ab1cbcfa475ad9653e51
SHA512 b5713d5996ffac8430cdfaef3444d42bf8a41d804572a3305cb06b513406dc143eb606d9b6a03955e7fa58bacd1aa3d27f7a4d348860b9537219e3c264a3828b

C:\Users\Admin\AppData\Local\Temp\aIYI.exe

MD5 2f2a046c27fe1d37db7617ab2c069d28
SHA1 42c4f2bbf7d5a3f0e8a218152bebfb47609cf335
SHA256 da1f81672373d5ae87f27a21c0b6626904e5ef41b4758696b8e61ae0a289ecfa
SHA512 deafb9baf77645e0cd0ac2e28254eeda0eaf91657624a6118fd496c4308577ea39ec984c3d276cb811eab4a8dabe17e151b2e5518e931f73046cfc1dff48427c

C:\Users\Admin\Downloads\SkipConvertTo.pdf.exe

MD5 d8dcbd83eb5561080e411e22136dc4c8
SHA1 19d03bc925592fdd9c24a799de59416669481604
SHA256 ddb57602556f108c9d60ad04e7daf6d2d1d92143c0100a064cc21cbcd1881914
SHA512 760d69579191326b54224d2ab7e48319c38a7a74a7582dca212db84bc29dab9bb9038815a5bc18aee73c4c0108d37f482ec5920e2b294f2b815614f498d23414

C:\Users\Admin\AppData\Local\Temp\qsYW.exe

MD5 bde01009db7ec582f73cf3e1c1854751
SHA1 38d47d6102727cd9c74277a424c943458ffb0db8
SHA256 73452cb240eefcf7f8cdfc7b9da8de80d690d2b1a2e690d621a99d039e2d2043
SHA512 e3ae09fecabc641a853441c20e72c131cb99ddd2ad0798f2efd413f803f5d76251f479621a5335b76b86f53a3829fc0b36be6ea1d524cc7455642b88ca95eaab

C:\Users\Admin\AppData\Local\Temp\sAsQ.exe

MD5 126354ce5d6e0b4748c59ce783e61cfc
SHA1 5f92a32a8b41c2d2608ecdc36fd6d14816b0dfc1
SHA256 c7efc194eed07e8e5b515b747c82ad998abd973225d0780ba5848eb724787a8b
SHA512 6b6ef5248d5a724e2e8cc5d65d5c1c18a7fe344bd26e9beb1ede859e947c789ab416f226904753a8441a711ce020a0ed4631151633eab5da860eb44f5c561337

C:\Users\Admin\AppData\Local\Temp\CYkq.exe

MD5 76ad4b9058d46078f1b9a96d266e9622
SHA1 30441600982036ffb25cca43d64710a5775b8b7e
SHA256 14255c140f7100dbb742af2d32e01808611c83ae12a2aa79a69411d6a1116292
SHA512 715da02e245fb3cab5829e0a3bae7494d274e23799b136f5d30ac645da78639fd73d5caecdf5028cf23e335bb37b1fa2ec5bfbae1fea48f79563279025a9e024

C:\Users\Admin\AppData\Local\Temp\Gwcu.exe

MD5 295924398b1c640f5ab5c5205ac831d6
SHA1 ff686ac95e3f9bfdef72fb1494a93175a07e2a82
SHA256 d1a173b0e524a810062166d474961547ee35b50b5e2215c09dc6a30a07afe7ae
SHA512 dfe095b71de3edb59621cd73724dac7f8773a0c0c3d1c5bf09dfb399935fd49380dd5c1578a496c13c872df9033153ebc498e31992c18ac2acade5b2c746ab43

C:\Users\Admin\AppData\Local\Temp\asQs.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\EwQG.exe

MD5 148c678c28e65ab5a7415bb4a8298c9a
SHA1 b22171095f16a0156e1fd35f66183e3f34bdfaee
SHA256 0f2e34f841f01e1ae7bd92fd16f1f4ba833551ca4a2a13bead020f461a41906f
SHA512 063ab8738e4c106998f8080e25bd251e2374ee389d462acfe95ce76974b82210847c4d2cd48e87c4f23aa4400d0b2e9a9b392d69f4e817c42e261feea73126ca

C:\Users\Admin\AppData\Local\Temp\SMMa.exe

MD5 809ec94bd5600708966cf0613b62ddff
SHA1 5fcb45659845d23d8e4286e9866b72eb47797609
SHA256 a199248003544daf57494cd46c7e72fad07ba0af040cacbb66bab52ab1803ada
SHA512 cb6d1e2687b6c0b4af30af732d7c8af5027d916783b2c21b01c7e60ecea9ff670946f95cbb8a69764d7c8d1c2b84412c1fb100bf81e02f71b13cf3e2d70b4ab3

C:\Users\Admin\AppData\Local\Temp\eAMQ.exe

MD5 7438a220f57f9fe7baa2c0bb3f40aeba
SHA1 4143133559b57505dc20c1ab2b6cd974dcdf0f2a
SHA256 5fa62598251c4fe5eb9cafe44683988d6e60bc3884e716d01ffc076ba995847a
SHA512 99ce95e8a8f6fdfb538f78db86de7281d79f32538c63a5abe605025152e0ac474f990c272222103e2c3d5452aa2ce4849453f535a06deb637b0d78a03e33c8cf

C:\Users\Admin\AppData\Local\Temp\cEME.exe

MD5 04e2189042b86228018833f38a07faea
SHA1 1b75c425807f9dc3f041c23887c714edd9700af1
SHA256 00e5cce85d0455208acb368baa4d535d23bce403b78da0f666d1df3eda2f4871
SHA512 d245b036dabcc879932581bbc67f066f9c2b23233a7ace23dacfcdb2348e0e8cf4e20b98b751bd790884063fc5fa13c448f2e5c1f93bfbf80b7694c9ae555b32

C:\Users\Admin\AppData\Local\Temp\eQMI.exe

MD5 72f5e9db2b2f89974cde9b0146117670
SHA1 49a9c8207f5648d459bc83039ad8e413eed156fb
SHA256 877bfe872a2df502d9a28ca3f27fb4e875fc8f3f5b2641b4f66f01bcb88eb95a
SHA512 bed76200e0d5e2a6cc0c8b39cfa6284be388963835ca67acd02b01bb2b4bccf03cc25077af8af6e8dd4bf9cf09e40985cea82e99b47550b3a7dc763745b3d919

C:\Users\Admin\AppData\Local\Temp\CAAa.exe

MD5 a2432266293a846f2a4b123aa1c4043f
SHA1 744a58259ac3d5bb2c579ba7d0fa9f7c2aac56e6
SHA256 354b7fcaedd3ff48b70be41f089695a3ab859d2a023084b130ac7d270cff9e18
SHA512 fae06100eb3859270900b32c03344aac9ae506ecfee7908e25a9167f4f7c1b3ab0b466c2919e8cdb7bb7dac62a64a54633792e25bccd5be3fbec8818740950b1

C:\Users\Admin\AppData\Local\Temp\UsYM.exe

MD5 f45e6f952de5a8f274354578590508c4
SHA1 9282ac8afdbdeb64ff96fdd0567e3c1fe01264ab
SHA256 e4c8d5addfe2e19ceff368e5d1dbc8c462c8439c7b0185acba83ea2ce5354c85
SHA512 3d392cdf7a41db8c58727e22b4fa25af8fee47b4d751870991c4a6448fde01faf160cba9a74c35cecf2ac17f88d3e8213690dde66551d8ed35a9bb12db7180ec

C:\Users\Admin\AppData\Local\Temp\kEEg.exe

MD5 2f4be766184c544bc1365a9e888b3dc3
SHA1 7d3f01851cfe9cea4f837985cc6c1a5b75405368
SHA256 ffc89e9e09a71ae3bb54e99f7c238ac03c0fba38ee2a7a40a81d82e20a0c6dab
SHA512 b82e28a1b01a3847827453deeaaaaa52580b6a94c2a09c759892c2e0f1826735165711b634692276add070c61ffb43ecf4d5a48681707780fecb45f40664cbf5

C:\Users\Admin\AppData\Local\Temp\IMsS.exe

MD5 4cc44c43f1bf29367370600fdcb3ecd8
SHA1 db0ba22a02903bd536c86f1f036996d772fca45a
SHA256 3e031c7799f55a3d6e0abf9d822eb8725887c33058afd640a39213f74494b0ef
SHA512 dc141c1fbb333411a09369d90f38d03b7731b5d41b477fa9e77a94227d0bcfb81c1b543c635a8808553239e774631eb2628740c6db4d686fa5f192c7492d5239

C:\Users\Admin\AppData\Local\Temp\qwEk.exe

MD5 0dc0b504ba57578030fd816dd5f8a89c
SHA1 bbf68dcc612a1c8603f264da7ca3ca694fba4ff5
SHA256 b35be6c544f70088df08a8ddbec29a1f4c7d87afadf328ab090bf8665cc8d141
SHA512 a35a584b974689cb05ba8c1ec2e62be879fa1c26fa6aefeeb67cd47a118244a37963bd0f629c31f318592cf76ee3b8219e4651d336ddbc695254e4c52120557d

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 b4f8a849d19fab027469f996aa4d433f
SHA1 819471088827652791f1ffd97d64c5d4e47f88a4
SHA256 4c6dede18da4307e17c7b3bd738bb4722f4185eba778d22ffa23b02b16ceefdf
SHA512 ce6a956733f0ea7a22f8bfb70dd6823332c083c808a1ecab018b7520ffe481c3e94e3b4aba408f35093c6a6e51f10444dfe27dace3e22c0f5d857001ff623bdc

C:\Users\Admin\AppData\Local\Temp\ygou.exe

MD5 a7d065a076361ec2fa722322da4a423b
SHA1 dc2b691a4772375685412f346b42e6edd4188d11
SHA256 a981e8f66955dd47329afe8b425593828f53297d590aa46adf05c44170fcc550
SHA512 a35a098eb4dab5605ec9eea3002c88b6933f0f7fe039ff03094834a7013f2ea7a297b4aa1d217cd2d666aef247036ec1f63f06ed68553719224100d9e4bab891

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 f2e10d5a5e4325e91697b30d1bba7278
SHA1 6b094b9ea7f8382947d2e47160642e4e8bd052bf
SHA256 f7fc5bdedffc0198a7eb070beca7af872ebdf4b0360e974189acc62edad51c2d
SHA512 d7b7cbd90e220f8ce964ff944a3905d9d1134287eec22f6a873b883e25c906af76e5cafd4a41ccc698b414e5a7ca8d2fcd5f3146f4e9e3f669628b50ecd5d373

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 6ca830b97eabd25fb4416c8130429571
SHA1 82d5f462902cf041953b1fb075f195acd1c63a21
SHA256 1ed9be2d88ca65dd07ba17694201e2e66313f94a369aed3ffa0bd66f8fc7597f
SHA512 34fd567ff2b26a3383d01249131c31262bde7ef7659764bd31fc496f001fd4e673c3d36c8482ba849344f607962f3779cfdc4a5e376a5f4dec3e08bff00ec796

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 ef6299061b4ca6ca13238dc9ee84a881
SHA1 0dcf31bdee1d9a7537f791d97ea1663155873c1f
SHA256 accb5c96b812ecf89cbe752acad5896095622947e70fabceb94202f65c6eaf7e
SHA512 44ee959aa0b19f3866569961530cfa9b52d1f681064171229a6cb852a68b060227091154e3cede70799c50a252050f324c82d3d300b3faae920d45f3566e651d

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 bbbe33c3518347eda11b0dc60b1b85f2
SHA1 f0a566ec6fe28af6c6946a7ee96095d35cb6bdc0
SHA256 90d75218cf04a0afc7279316cd18b0c9ddf6107a3fa227c296dba96268d125f4
SHA512 642e80b3f9677e108bc88d847eae837583a6cab2a649ace9eb7aafaabe991dd7becc9054145fbaacf1be8df6eb65eb3cb80bd963cbf5ebe960cffe522f8b85be

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 11abc8d5d2584becce34e1e029262a49
SHA1 0bdb8ef467fc1e8b868ec17fd91c8a13b6fc2323
SHA256 513fa7d7234a0485d852d764963f5155e587bc491c102883b7814259c408d88a
SHA512 b523126fefff3304878d8bc199ed5df4c37270c9bc0b9cbf1879454f8c52c5c33867d7dd3e5f631b1795c162f5d1cbf72493d43fbe69bb10e445a5fdca30c688

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 da4a7742dbab69001e801ecd64914e32
SHA1 a1170f6b77dea19b3c2b6862a2e7e01ebc097cab
SHA256 a8a38f10ef83eb83516d28e0eead2f61704730de009efe198a8926cc589dbb03
SHA512 b8d751ff0dea061faf06ee104934e682134dacaeb136592cba8ccfbc1dfdb08f98cab1f39d3c06bbab75bfcd55f9d98e45b4fa49b9cc898136d320ed7848bd88

C:\ProgramData\TaQscUUo\jgsIgoUk.inf

MD5 6cbf071a912fc640ecf2ed87fbfe6fa0
SHA1 90074dc4faa903a75f44cc6d3ed2b5e36ddbcc0e
SHA256 2e3ffad5b8c89a0b99396262ed50377c06f1479b8de85bbb6c042baf5c40fb96
SHA512 c347e0c605bfd984865434d231ec59e637cd8a1a9e210625fd8c22d044781b7c916aaacc89456ccf57c71b83356a42cb378a7fc991db17660af717e1623f0dcc