Analysis Overview
SHA256
4e570261798b1f8ea4b1793efd7f4b0fb5a109a99a1dd2bc2dd5859e46df4968
Threat Level: Known bad
The file 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (90) files with added filename extension
Renames multiple (89) files with added filename extension
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-29 10:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-29 10:35
Reported
2025-05-29 10:37
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (89) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe | N/A |
| N/A | N/A | C:\ProgramData\VQMsgMUg\KcQMIAgE.exe | N/A |
| N/A | N/A | C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe | N/A |
| N/A | N/A | C:\ProgramData\VQMsgMUg\KcQMIAgE.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggkkIEYQ.exe = "C:\\Users\\Admin\\NaAwwUEE\\ggkkIEYQ.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KcQMIAgE.exe = "C:\\ProgramData\\VQMsgMUg\\KcQMIAgE.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggkkIEYQ.exe = "C:\\Users\\Admin\\NaAwwUEE\\ggkkIEYQ.exe" | C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KcQMIAgE.exe = "C:\\ProgramData\\VQMsgMUg\\KcQMIAgE.exe" | C:\ProgramData\VQMsgMUg\KcQMIAgE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggkkIEYQ.exe = "C:\\Users\\Admin\\NaAwwUEE\\ggkkIEYQ.exe" | C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KcQMIAgE.exe = "C:\\ProgramData\\VQMsgMUg\\KcQMIAgE.exe" | C:\ProgramData\VQMsgMUg\KcQMIAgE.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\VQMsgMUg\KcQMIAgE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe"
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
"C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
"C:\ProgramData\VQMsgMUg\KcQMIAgE.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYMoUEQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaAMoMkI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIssEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUEgggkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEAsgYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgcQkMMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByUMokkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOIkIcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWkUwMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQcAQQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCIgoAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMAgIgos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAUwoIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGgskgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIwsoAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsQccIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoUcMIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeAYgwws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwsIoYMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwsEUMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEsYUMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYQAsMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuokIwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCIsggYo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQwIckII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYgUYUwo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgQUkwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIssMcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAQckUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icEcUUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCUIUkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgokIkow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoIgEIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOgkwwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUAgcYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmkwMYow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYkIMUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmAsQEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BowYowgE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGwEcsQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIYMAIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkkYkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UisEcIYM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScUosEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEcsssAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcwocgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmcQkIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOUwgksw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyEIUAII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMEgAwkg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAEwUUws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zosgAgAU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUkoMAYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgMsUkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eowQsoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIEgcYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGogIMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUsAswUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaMIcQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwwwYIEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuksowwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyUkYkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOocwgEo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WakcUIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuskMscY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqUQYoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYogssgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zigcQUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKAgwAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgUcMgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEQswokg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsAoccMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqskAcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAoswMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUsYIwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoggQooM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCYAEAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQEkkgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEMcgUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcwcwgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsQwEcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQUEQwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMYksMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqsMIkME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUwkgsMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkUMAkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQEwEsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQQIEYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UioIokAU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwoAQMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACoccMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkcoUkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGUkkYgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWcEYkQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIsggUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGscoYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUwMIMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIgggwAU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aekIAUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqMAEQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\necEIwYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUwUUYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIIIwUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsAAMUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uukoUIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMIcIAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LusgkUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcYwwIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMAAMwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaUgUYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esAYoUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYoQkwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwoEoUog.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYUsscwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMEEUYkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEMgIkUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqIoYscg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwcIkQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUskksUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYsIcUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWgUMQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaAcokgo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQMAQEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqAMYQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| NL | 142.250.102.100:80 | google.com | tcp |
| NL | 142.250.102.100:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| NL | 142.250.102.100:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| NL | 142.250.102.100:80 | google.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
Files
memory/4680-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
| MD5 | 63807c2516613f8b04586749ce29a45f |
| SHA1 | cdca842015a8d3e89886bd76cfda94fcc8d86c75 |
| SHA256 | 0c21900eb65585b3ee2a75ca6f4b6c0d42dedf3a27e27d5852d345f43cd395be |
| SHA512 | 9732606c91fb47f966f55269e9337e9f524bdc53631915a2bfe710eb517c93df5ad61dc494cb93a36da2b5530a114793e40324b20f0bc060f59c885c15e765e1 |
memory/3372-14-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
| MD5 | 712d434ccc3a071783f8b515a550c85a |
| SHA1 | 79ad6c716bc6fefb707ccc5d4088891fb215d278 |
| SHA256 | 817ddc88260957a0cb0b149e064c19e324817d29d381515724998b5bec08ae87 |
| SHA512 | 73ef006bfdc329d4a59b92c24084ed6500503107df94aae45abf1294e211e5b02bfdbf1e0cddd17a2f011dd2e255d458cbfff04f5c311bf81e0e2de2a862600f |
memory/2880-8-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4680-19-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3576-21-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dYMoUEQw.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2096-26-0x0000000000400000-0x000000000042E000-memory.dmp
memory/764-28-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
| MD5 | 00974aab6b9832933e8ac609e50e5dce |
| SHA1 | 6fa57587c15d3de9c9ace6da93ab80830bd87771 |
| SHA256 | 7e9997f40d13b32c724ca4ecef283f377ce9965d31534167994e654d6e6623b6 |
| SHA512 | c104286c58629920fa51b5f764c409b87ce9cbff3ea33d634cfa5d7804294a345c5e4150780f84d85c8a7a0aea7d6089eb4f31494096a4c5e9982364f9ad2e47 |
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf
| MD5 | 5369d9147be31024c4777ae4722f8576 |
| SHA1 | 7dbd39d379727762a4e839b2a60c6c94bece4b8b |
| SHA256 | fc8a0bee5ba29a391f9e3f7508839ce0f9a78cc6eecdd26568b0363f20572d07 |
| SHA512 | 8910fc9c0144a63ab0b2b50eed9ec97bf52cd775bd804c4d24c40b7c2df4ea6dc8105123e31c79cdac9f9abd3f6082fd64d75a1ec9f49213194e995dd807fdde |
memory/3576-39-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2260-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2236-63-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4392-75-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5084-79-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf
| MD5 | 44308ec74e58ad0318ff4bdcf8e8bbd7 |
| SHA1 | d66dc5abf25928a09ec8dd48815571bf28db17bd |
| SHA256 | 8c92b5be28a0d55d10922adb4a8a3551b69359f796338e5c6f2d18f5acc3e455 |
| SHA512 | b143929505d20cb53298d7d8092ac0b823636141ea921329b4bc5e8bc4cd2d3446537d7855348599ceaa85f5b070f575747282863f084be95b7582a2056295a6 |
memory/4392-94-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1984-102-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4952-106-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1984-116-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3792-130-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3260-143-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf
| MD5 | bc012153915aa73baae10cc4dd703292 |
| SHA1 | b9e801b3be5b13e3ddeb7c3a02614983988d3261 |
| SHA256 | 6aef5b081773aebf2d36e04920396407a444f1e39143e5ac695db258864b0e21 |
| SHA512 | 4868ab0d0a541c160e1f8c0640e75ad79bb84b899d3230d26f680cfaf1d96b5a9dbacf08551aff0727ef2cb4697a7c38578ed3bbdcf243e3f6651b303c2e204e |
memory/1856-155-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5068-159-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1856-170-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1640-180-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3552-184-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf
| MD5 | 593a131a2cb9e716d8883e10821393b8 |
| SHA1 | 5af84f68831efcffb44a512da5a8e7cd0ddd0c40 |
| SHA256 | 6919cdc65034eb00b2f6f43fd04d921ad09b90c940681dc63c26c8c179bfad83 |
| SHA512 | b2fe3e3feb52091be8ded18f90b1d8ed05f9f930d2db95252d4ed1435aed05745d040ac6d6320d6ae6c2e46ccb754a3de766e8bb1f9001734fcdf2b9363006cc |
memory/1640-199-0x0000000000400000-0x0000000000430000-memory.dmp
memory/448-212-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2136-222-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1732-232-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1056-240-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1880-250-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2064-258-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4940-266-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4904-277-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3012-286-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4756-294-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1580-304-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4356-313-0x0000000000400000-0x0000000000430000-memory.dmp
memory/216-322-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4084-330-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2236-339-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4952-348-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3636-358-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3568-366-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3880-375-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1188-386-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4692-394-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3552-396-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3552-405-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2188-406-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2188-416-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3908-424-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4136-434-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1580-443-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2064-449-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4112-453-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2064-461-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1640-470-0x0000000000400000-0x0000000000430000-memory.dmp
memory/216-480-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3592-489-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3616-497-0x0000000000400000-0x0000000000430000-memory.dmp
memory/556-499-0x0000000000400000-0x0000000000430000-memory.dmp
memory/556-508-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4744-518-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1104-526-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2148-536-0x0000000000400000-0x0000000000430000-memory.dmp
memory/540-538-0x0000000000400000-0x0000000000430000-memory.dmp
memory/540-547-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1248-549-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1248-556-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4608-561-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1392-566-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4608-575-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1972-585-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5020-593-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3092-601-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2456-612-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4396-621-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2900-629-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1456-639-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4800-640-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4800-650-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3052-658-0x0000000000400000-0x0000000000430000-memory.dmp
memory/876-668-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2828-678-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4328-687-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5044-686-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4328-695-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4612-705-0x0000000000400000-0x0000000000430000-memory.dmp
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | 71d9171e32f4722b58d096ad0a45fec7 |
| SHA1 | 670b3d0dc76cb8fd88306f3fb29026420f7f66fe |
| SHA256 | f884ff87a8ec515df2251a8b89d3c2f4ac84c367543c762473e08d6b2c3d96ea |
| SHA512 | d7198b6de2a8a0c896588b09f81b0ac13d32a1224adc0015eb30df27ea7dfbf8deaf89825917dc16e27bd2657bfda0a045cb2a557e35e3cf39fb615776a10c08 |
memory/1484-716-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3092-724-0x0000000000400000-0x0000000000430000-memory.dmp
memory/700-734-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3456-743-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3508-749-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3260-753-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3508-761-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5040-763-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5040-772-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IgwS.exe
| MD5 | 9160c958d17158462cb87b6ee7562eda |
| SHA1 | 46d0a6906590764a8127a6b81a081b1f6206c190 |
| SHA256 | 8927077e878ffa6fd919accf87468d0e190d54412638f068cd7e06f3800cc7de |
| SHA512 | 4fdba2e8f0ea554b25e0fe8ce217b174a3474fe49674fa97b4dbb1c275a8f380af396c0a124986d8bd4592249f88602330d3a93e370b8ad0cbab99d5d3ef7f87 |
C:\Users\Admin\AppData\Local\Temp\MoAI.exe
| MD5 | ad5301b097f15e14889016228da1e253 |
| SHA1 | 8f4e08679292fd8ffd2ab0d8a28f594e6dbe570c |
| SHA256 | 3f644a8c13aaca0fe94d504c7fcf34efec93441b91f309f0b590ed4dc1615c4a |
| SHA512 | 21b827bf63e884c2daec945092d3d6f408b1f0dcb2d2b7ab665497a51f863c249b6c90b4842f7edf28ff80ff7254dd18354b3480039598dbcde285dcba842f64 |
C:\Users\Admin\AppData\Local\Temp\cgUK.exe
| MD5 | 0c9bc01f4ac06026d7d63ee8921d69d6 |
| SHA1 | d01728a681a293bae4edd0ba2cce560a019d3fc7 |
| SHA256 | 40944ce138f2460541d68b69ab551694a99ca5c2357d66ec9a92af8dd0434358 |
| SHA512 | 0e5600ebae554806c6d461b0c032157a5a5cedab8b46b1231d0454c23fe403b4224711e2d596f248828a306afc245ef49d55b8dbb840e0186940e4de57f31b06 |
C:\Users\Admin\AppData\Local\Temp\wUUA.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\SAoU.exe
| MD5 | 94adac8552c435d00c547da03a71db0d |
| SHA1 | 35ff140052b46b1d55148d7847513ea4e52f6deb |
| SHA256 | 75e042b20c4074a01f68b6e42522e8fd05bbe3ae3812544a1f8fc79539c23e8c |
| SHA512 | e7f8ff329524a451f8688e94f6c3b346f3ff18aabb528c00e9ab55a9ed1c0c5533ed49d2c0649ca9fa23aa89133bd8fd8d4dbdb7f0c1a2fab6ec5e645247f5f1 |
C:\Users\Admin\AppData\Local\Temp\mgAC.exe
| MD5 | 9807e5656b93baaeb87bc96c7267a3d4 |
| SHA1 | 12441148a4b909d3613eae415d372d71c66ca0bb |
| SHA256 | 02c7502056227bf85736bcf5446c894f4ce70fb322e81da8036aa67dfbce5a09 |
| SHA512 | b099ac6e508b72126a78884d0947781d967a36bae69b2b04d5f5925e241155420ff3f69843903574a149676e2a284577164b25a65fc0fa095897dc908face5fc |
C:\Users\Admin\AppData\Local\Temp\cMAk.exe
| MD5 | d23e01df5a820ae9768691bf38157a83 |
| SHA1 | e3055dddc1e0696fec73d55c0e93b2f9b8fe97e3 |
| SHA256 | 59e539d237902063f28925cd0a0436918de7f030767ccc022359c5c8a8afca9e |
| SHA512 | 0aa59eb038abe99153aa01ddb8d64d735dfc8d398b3f0331f82876a11e7f4db236a48a7e60d8f6d3860cb5c9d8fe6af1779b37e618373d34f988723afe568ea1 |
C:\Users\Admin\AppData\Local\Temp\mssy.exe
| MD5 | 63b3ea5fad178c35fee2caa3ac1eead2 |
| SHA1 | 794cb17e9ea8013ffd1be2a807787f325771ddd5 |
| SHA256 | 5aca07392ab474d36fb33db9d1b795de2d55a076b7b2af81856da1fe28d744b1 |
| SHA512 | 3eb9bcba885b264b116e21c2a81a1c678b2a583f20a0a23ab890dbef79e5bd10ebb608b799c9d20e69db4d0e3b1d12c2e588065ffeb47ade30ef50de70a11fea |
C:\Users\Admin\AppData\Local\Temp\YYwK.exe
| MD5 | ba0c0ba2a467015228a7fd68c32b2781 |
| SHA1 | b1c3049debfe1dfc290df50d3da7990b25c4275d |
| SHA256 | 2ab97a1652f734b357a188ce7cb3b5de422663b3670c48a3e594f2a29b321bf4 |
| SHA512 | ff1a7f5ea50e6982883ec2971335f816ed66dc0f36f51f12a97a435f7bbcdc471c2e394fcc217fcefb062b930b1d587367f304a1d15ea2b99aceadcef268ee45 |
C:\Users\Admin\AppData\Local\Temp\uYYg.exe
| MD5 | f448656358312760267ba5073292857d |
| SHA1 | a9e5dd070ff34211efed63d70fd6972d2dbed89d |
| SHA256 | 88c4dd07afed69ce68f1c0d916482f639f03769c286acf3493bec42a7b521921 |
| SHA512 | b359116131ff4b55648d21f0adeef101ab80f1738b5d2b1e7b866da24922dbbeb4bc16f93da985c3cd43979630d984572ceddaa728a3e48cdd8954f027fe359b |
C:\Users\Admin\AppData\Local\Temp\AEAk.exe
| MD5 | 800b4124ef87f0d0d6bcfad29b982502 |
| SHA1 | c425214a9b31c75d690312588c083a1e35dc8bcc |
| SHA256 | 7031465b079a494a32f9ab24aab147f4c7d174c83aeeaadf5e1a1fd37e05e3d2 |
| SHA512 | 1f140f8bae3b667a8cc53c41dbe5463a902d8f987f9bf18ff3bfe25fcf8015824e1648918b20b713b0543891b0cbce1bd2596cfa4fb34f853118224fb05ded2b |
C:\Users\Admin\AppData\Local\Temp\QokO.exe
| MD5 | 2f5d7954a314cb4bea47d1813a46ba61 |
| SHA1 | 4ae77e3b8712f1861a35d857c05dab5148ffd929 |
| SHA256 | 7d5e8bb53ace1be237abc52bdc60cb73433794f30e5f428ab89a7b44fd28d6a6 |
| SHA512 | 9573afb780d5491d05214f960a8acaf7a1dfa8728146277f774fa352afd76272bebb704e5af19099716f7b1460299471ecc8469e70c8c93ff13fcad71fdb77d6 |
C:\Users\Admin\AppData\Local\Temp\WUMe.exe
| MD5 | cd98f12c1bb086f09d88aafda9b6505c |
| SHA1 | 6eb9dd99741e8ecd439d50fc56273259f2364928 |
| SHA256 | 775982d4e43ea2e8500013db265fde5904a47d1b959c555e18f242a1f30e53b5 |
| SHA512 | a8fdb64651c93bb01ac500b8ce2cb1b294ec6c5ec18a0ba3a645151e80cf8e5213fd354637eae7a39e0d405e0127bd164cdc856fbf4ad3c7203560d4075b4df6 |
C:\Users\Admin\AppData\Local\Temp\UMAs.exe
| MD5 | 489e3b6fbe8ebb6c636e99a075f64a10 |
| SHA1 | 369a792a5335a04455c11fc110d0535a0e4920f7 |
| SHA256 | f5ab0eb938f971be45008288a111c2156b7a48d5497ffb6117ca8a8da1d8a81d |
| SHA512 | 060dea00b9a9091e0d8c722cc91a8dad64c6866af0507a84f18de3bd8270892f8cbd6ad2451a19e80ba8970cf77071f20742c8d63222d87709cd9da529ea715f |
C:\Users\Admin\AppData\Local\Temp\ScwE.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
| MD5 | 96e555bf70e056e44a537fa977e3fbb9 |
| SHA1 | 62537b403b01a6834538569a8c2e341d11743eae |
| SHA256 | b6eb47d852132a7616df1df1fdac218487f55d547643961b925b6374ea7e08b4 |
| SHA512 | ca601b59a5d57e19c47c01db062d3bf489a0f3a323b45f80b66643c8c2481824999d9c027f4a5d225da5ad75efa88d3c73481ed2998bd3d3a7e952b44ecfa124 |
C:\Users\Admin\AppData\Local\Temp\MIYy.exe
| MD5 | 1f89c71020b4450126efcedc19dabe69 |
| SHA1 | ec6d741a29b558af7be4a90badf2a1b7af97b073 |
| SHA256 | 0b3efbb13fd7a2a638325f6ba47de659398acf8f57c71cc20a8a3d771d1a2904 |
| SHA512 | 811dbc736d75224f619260e24a3aa8aec22788d96c66ebce090dc4a109ddc08618dcf31b1e768def8ff895431c8bd23f446a4448eef5d91adffc5d9f0ad8ec8f |
C:\Users\Admin\AppData\Local\Temp\QIUQ.exe
| MD5 | 346b51e267d8cf96d09a993816c7d832 |
| SHA1 | eaab55e639c86e1a4cbeb17bcb60c83d6036d489 |
| SHA256 | 6b15ee62178d3ad25d8334a8995eec7b737d5ce4435c292ce1d4bc9df988171a |
| SHA512 | ae3b024995a8d7e4d1de9b61aa42abfc07be587f196f1d39d7d429ea54ac85610a3089c91e48c455cc737fc9fa36faf8d8b7eb3d01fff06467c136435c2eff6e |
C:\Users\Admin\AppData\Local\Temp\kAom.exe
| MD5 | 712caec265898f34b26d2d525acaf895 |
| SHA1 | 96eecc85a26884ec56a174f7dc3db947b8db00cc |
| SHA256 | 991b78b9ed7807a3b4354ae29732f8f396240395e3c22c70c03b62ae5d0fc0d0 |
| SHA512 | a0f284e9f5fbc638c6b21a8ce7ca3857660fb80fe8d7713d3032334f2f178bf5e3dd7e1895cbc0b4b2c8b03d5c0bb80f285a29f4a5035e04ca4122a20246f2f1 |
C:\Users\Admin\AppData\Local\Temp\MAkM.exe
| MD5 | e0c790ae0477c1f7d1d9ce2fd6b3efff |
| SHA1 | 3ee4d5b9a20b1f965f165c86618e6d11d8cac028 |
| SHA256 | 35b0bd1caebd91990af40aa1d229702a2c06f003926f70e9a5e6f1620206c960 |
| SHA512 | 3d83161f0170d9d3d9966e18e13deee8f31a2cc74df44499307b8c8eeb9699f16487e4e57d59af6c0b4d62762204dd7ab0566836a4c68551768727d8ca7338e2 |
C:\Users\Admin\AppData\Local\Temp\Ucsa.exe
| MD5 | 8f52f411e6515b13f55d42cc70753860 |
| SHA1 | 18060dc2d5da7c33506ce034d4b83b0874516465 |
| SHA256 | 18f43c7270f1789f74613d40ee66b4012388b01126ed1f3b66409f2e25a2a495 |
| SHA512 | e92892d042366a65ce82bb7387d281119928a5cbd314fad21d100adf0676689328f0285ca948c6c45c1b0816fafb54944b30d2c5539c3c69842a5d9a8ea9983e |
C:\Users\Admin\AppData\Local\Temp\Ugki.exe
| MD5 | 99361aff8e5477a8d7ca3498df3419f1 |
| SHA1 | b7cafe5d2f6f3c17112c0bf4d9cd045fc25f0948 |
| SHA256 | 07a81d1ae21188e6539a29717373caee9b2ffcc367a7c3936009e10fe1091f56 |
| SHA512 | 2d1fd7d9209ccbcf6cdc0504e30e016cd6f705f7f3abdca65d40e1b5d43d5f4a922940c07214c72e04736588740a7c42dda96b9a1c951474b1d846df9c4cdd47 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
| MD5 | 74d1088c52dc6363211227e43a9c4375 |
| SHA1 | 4e12f8980fca09c49e483748702365fa4f22b50b |
| SHA256 | 1a286cd813cc3c1eab574855a6d77c417c2d84c282bd348cb3a936023054954f |
| SHA512 | 02c22c957b1e4c7e09062dc756e6edf13ef3dbc963802c905cedb7c048fb509a9c28d45796bb5085c99c2e103c758a7a70297f64d9df32b8d0a89f79298416ce |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | b953f08a1cbec6529eb8e552dae6390d |
| SHA1 | d1b77cd457085f0629911789319740d944d84551 |
| SHA256 | 01dba662783894a965e1d6ae30695cfdaa54a955dcd2b7f4a25d0453450b0dad |
| SHA512 | c1bd9cba7935502f4615c11b0e271a6e4a1ee9097096ae73695d08dc5f5431cbcdb1ce445f4f9861441834fc609ed0a88afbe6cfe3a5b948b475ec784955bea3 |
C:\Users\Admin\AppData\Local\Temp\YQIw.exe
| MD5 | 9ae0fb11f3b4d0d95c6ae332cb00e480 |
| SHA1 | 55a637757d1485290f8f73f578f3f35edbc67856 |
| SHA256 | 307251052dff31aa1dc55d50599c77e019f336e4c10966eebba8ee091ad96527 |
| SHA512 | 31a29434d79f4d50d090203623c3cd6df48568e6e7281e71da3f0405dedf907ea364f4f81031273e3491bbe0acd004c4df73b708ca12a715594ff0ccaad322fa |
C:\Users\Admin\AppData\Local\Temp\WMUa.exe
| MD5 | 389acd6f014635c78dceda948d78ec6a |
| SHA1 | 8f98907e4e9af861a54865d3c2d2e80b701d4ec8 |
| SHA256 | 367257d8bdc71b66e8b455a910e7e71ee0e22e571fbc7218a7c8e401461f141e |
| SHA512 | c5d1a2dd27d67e3a8ebd337b41928b88b50f409086899b4797a0ccf1f6d2bbea9a6227fd92296f98db370269d0e9489dce254bedb922a09ff621b01de57568d9 |
C:\Users\Admin\AppData\Local\Temp\GIok.exe
| MD5 | bdbc71c6466d697728132d7bc21ffa24 |
| SHA1 | 35f4a5872d66f42ed3bd92fcb79624737679c5ed |
| SHA256 | 01a8f3ad75615ef8f6e8ef5874d8e0d7d1fbc998dd21b9fb05b11f13c401394f |
| SHA512 | cb4f03d76bc9155a81369f5b21bc675ba24bc36d017ba54178b07ced735e40513656e1b913daeb0c539e9209271a994255fee48ee7862f9ef612f1f633130817 |
C:\Users\Admin\AppData\Local\Temp\QsYA.exe
| MD5 | d2340c968f5b040b0fca659a646bfece |
| SHA1 | b0c6df96011f7d6172510a43aad4b8559856a545 |
| SHA256 | ec5c31a2056edf89adfefce84c4e58af0c01db11474ca29c19d80e591d9407d7 |
| SHA512 | 2112d3b47591ca5a58434cff64b3abdb92f91930a0cd68c606ef9b1989455b27b921d7f561c8efa4feca925f557eecc727c38cdcf38f535d928dde65f05ba396 |
C:\Users\Admin\AppData\Local\Temp\eIQS.exe
| MD5 | 477ea3c562e8181b0750fa455490fd64 |
| SHA1 | 0579aabd68aee936e5c05293644022a49762bd6e |
| SHA256 | adf9447dcdd0918911806794b1916eb8b6d1dd8776cb6ee5c68ea245ed1e12fc |
| SHA512 | 09a4afe332d328e0b81494504460ffccb9befd0a98b7758a280a315dcafc2de919c85ccb579feddbe302ef5bcb4b8777e7c2f0ea3124e8c4e58c93f96184bc21 |
C:\Users\Admin\AppData\Local\Temp\CgcC.exe
| MD5 | 21a885f044770cff1dd8f7ec7b966e3b |
| SHA1 | 6c5a7fc2b12bae0252254cdab00e73050fd60b62 |
| SHA256 | 0cfb460466adc91d922bd0a2a32085eacfcd4f38ef1bd452f1ae207c79493dd4 |
| SHA512 | e4c26e9bf97caf0a4553236b2a40a1d4016c6e5af18fdd019a688502d2596bce15ad976a99197d015a4b056f006b2119bf2b00c7bc1428046971ca1cf1931639 |
C:\Users\Admin\AppData\Local\Temp\AEwW.exe
| MD5 | 58c4c6ca6af53f1aff5d54395aef4bb7 |
| SHA1 | c5733789a5eac17c3cf9f53b00adca98c5a24bb1 |
| SHA256 | 54169f54164f09b65f02ec2dfe9ca07a16c3f5b5233ab513264fabc8b6644c8f |
| SHA512 | ea67c7de25a768f0e605ad12abd2dd8fc118e11f4f52dd57d22c4b176fbc11d6df504a9e6a41a3f133579500cc2216fecefa3e4b8ec1edbfd06da6c1cd1c642b |
C:\Users\Admin\AppData\Local\Temp\msoS.exe
| MD5 | dfa42ed71e847ea4180d163ca6e40e7c |
| SHA1 | fb76e22473057fffef913108797376dc45cd8b45 |
| SHA256 | 242e14552125322fb9c8fce6d7e41a2ad64fea9872bbb686bb8774f8295e2c63 |
| SHA512 | 440b0055b3be75a5dea1f8cd49c4f30dc178348a9f828f2efc41733ca64ee87659ca2bf5fe1f4446ed69e3b3879efb16ba7b0a0f6a8878dcc64a5fb04cd8504c |
C:\Users\Admin\AppData\Local\Temp\EwQW.exe
| MD5 | 9a8578884ab6674ee546c150fff1acd8 |
| SHA1 | abebb438d8349fbe04b31236e3ae472805d3134b |
| SHA256 | 1dce2fd975183bf71963c52a53adcf7241e3ba36a54d0548606c6c23877836e3 |
| SHA512 | 525c46c9483778c917b5dc4dc6cc4d8b0eccf4ffab9aa9137c96729ae4072b12052e2f9c73a51b599c52322f1c1556034b1d9e235109b98e6226469b8db682e7 |
C:\Users\Admin\AppData\Local\Temp\CQAi.exe
| MD5 | 24b369a4bb1cf3c0921840214ad21762 |
| SHA1 | 8885c990cd55e397eac2644b1ca7842dc6a0d4b0 |
| SHA256 | 96f9c636e0a2b6797d21c8e9c207c2b49104cf3ab8d66835f5b626921cf8c97a |
| SHA512 | 1cd8bccdd46f3dca1ae4c86e22a2c034cd1931f1147c3678be20468bfae5fe20286ef2dafd3878fc4faa8b42ce184d329d212e866325bf2306e820d12b673873 |
C:\Users\Admin\AppData\Local\Temp\EIEC.exe
| MD5 | 942e65717e539b49997fdc568bfab93a |
| SHA1 | 41d9390481edb296369772dd5964e2c8674358c4 |
| SHA256 | e0c2beffeddbcf13c4f52c39d112bfb71a2c1e0fc5604929d42b81dc06164b6d |
| SHA512 | a92227c0421bfb87a3d5d69cba712cdd832abec8fee6dc9754ac4d9e5313bd3d2c5ca2a40d86ffdf5225d798bb7439cb32b199a6147bcd2561c2f59b01993b8f |
C:\Users\Admin\AppData\Local\Temp\OIsy.exe
| MD5 | 069a3f6290b86e2f8f568773c52f8b0a |
| SHA1 | b392fd80572ce0918d63f0adee22a67ba8e50730 |
| SHA256 | ed04b50e46c443ff8a61b5beb9def68f529292626722143951e14a0690a16aaa |
| SHA512 | d57e918959ae51022baf90c3e6d2b52f7c5315417fe3da3db8d464c9c7c9cfb6a642fd5975a0d8c4d81bc7eee1fb7ad7eb8f0e603c5f74e675bb5ea8af7f71d7 |
C:\Users\Admin\AppData\Local\Temp\uMYi.exe
| MD5 | 6ea9ffa4876d95992983ec3d0b058b98 |
| SHA1 | 2d11a8f357bd501c2bf4575425f907dd760ce949 |
| SHA256 | f98db9169160120646837da385ce14bcfbd504824a447d76513a6e981a4feba1 |
| SHA512 | 2c6ea8cb88fbb5e6003c8965eeb1b34d95172f6ce603f7e112a8c9b71a87c1519d822e41aef31a33c10b46a4aff17eff58ab3b74ccb09eec9017f7f4c8df629e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe
| MD5 | ab28a0d6cd0211714b3a855bcab0a32a |
| SHA1 | f8ae535e3ef3e340fd460eeced5068d9cdcae9bb |
| SHA256 | 921dae72afc8bf4f9982a70ca739fe34a4abd00b22f763327839b24e431a057a |
| SHA512 | 4e3a81d0b6175615282cd96c1a8bc6d3368d5e7e5629047136c517e931c4399bd92fbd56137747ee8beaae4efcf0c941ed2359c464aa225ed59035c299930037 |
C:\Users\Admin\AppData\Local\Temp\goMc.exe
| MD5 | a7008fe6423de02c17d3792be006bf0f |
| SHA1 | 505568fd7417610521bef40b0d205bee8a2037d9 |
| SHA256 | 2e324ccc2da41d51a975c92e5be3dc068931090111f1bb8f3e85db3a08cafc96 |
| SHA512 | 8122448de3100ac8d48357ac21f1730f0c16a4c85cbfe7996671b8cccfe91a7a98fc27fbf486c6c9cff1839be83ef1392f23fec26ad6b4c9a54660f6097883a3 |
C:\Users\Admin\AppData\Local\Temp\Wsco.exe
| MD5 | 47d65077cac5e82357adeba861a4d9e4 |
| SHA1 | 47ad6609b4c966e8beed513d00e8db73ab95f9b8 |
| SHA256 | f315e24062ed386a61fc10bd9f5c0f167806fd773d46ec81971d163b6d51d252 |
| SHA512 | 4179b89d0863b4b4bfe976c4df8bc988dcc6a09efad73d67b6ff533d62561fa5a6ca397c99de843fcefc1d32286c4557e147b984f09c3b9ae16505b15bb34dec |
C:\Users\Admin\AppData\Local\Temp\wwIi.exe
| MD5 | b001b9434f7048401ac0cd7873910e97 |
| SHA1 | 86203c09d8642571797958459b9e4c621d862ddb |
| SHA256 | 190eafe21834d0dcb4b36558cd02c8dbc762991513f5eafd39f33c1db0abca0d |
| SHA512 | 2c531778f3ce99f5592b24a7c9f2b0ddf774ff026dbd680aa131e0ac7c600abdde013d5530807cc970317fb257c0bd982e848462eb63f864c9f68d454a4abb53 |
C:\Users\Admin\AppData\Local\Temp\ucYo.exe
| MD5 | 27d2589fece008d9c86d9bcacd4fbdd5 |
| SHA1 | 69380a15a272fe17088882c6056f8700a8c3de4d |
| SHA256 | d0d10dadd6147500e4b8e2cf414dfe86af769d4baca16cb918b1204bcc91ba42 |
| SHA512 | ffc73bcbc96cca6bfb79b5fe6eb41e06dc993a2c8bf03de316f95897881af6c33e120babe83c89b394fbd1a823bd55219db827655bd807aadbbe3553eab58bbf |
C:\Users\Admin\AppData\Local\Temp\QQYk.exe
| MD5 | f5dfc64b01aa2c1fe69bb54af351ac61 |
| SHA1 | 048fc89f000c78a2ac4a0c88eb3d8c9bf27092d4 |
| SHA256 | d4e1c49ce190de329b04ea875b69c0ba9227ab65bb7da20d786793b3d2f55bc6 |
| SHA512 | eb23da974716e2af92a67e8d9214eb27588893fd1d01e81910bf23bc2593b92b6c1ab4836c090bd1936ad2402c20d05dd49bf2fcf4d75302ea4d43d392157266 |
C:\Users\Admin\AppData\Local\Temp\WAQE.exe
| MD5 | bbc5ffd96984a5ac0292b23329b73c6d |
| SHA1 | 276bfb6d6f1d8265a79a8e8423a45e85bf2641fb |
| SHA256 | f6d111fd2d198d2f94b8a132aa0dd455e00d279b971d217d83ae8329e05f1117 |
| SHA512 | 2d14c638c069ea27bf13ae4a929283626230710a1aaee41a34cad0ba1fc0ef25373e8af7c80408d7eaa807bb023dc473029e614f7664cc8507d63844efc29bb3 |
C:\Users\Admin\AppData\Local\Temp\eYQK.exe
| MD5 | 50f0dd816de5c4674f1fef690d2d8356 |
| SHA1 | 5cf412acaa92ba9545a581cf7df55e66d30c4987 |
| SHA256 | b6d7e03f94ed8aa1a2118f89bc5a542d7bd625e6503b46f5d8c7f9816852378a |
| SHA512 | e67d53eea604d22d11b15e4e6abfc8b173263c4f004262ad09d3b59aa8b04ecc1c8726549efe6ea45f32334340f61e7c71d25be80a3573dd07b0636bf897334e |
C:\Users\Admin\AppData\Local\Temp\osoq.exe
| MD5 | 310e86b26320b83a364792bb118301c7 |
| SHA1 | 9f0aabdef6088faac0c54f9855ee781fa5def6b3 |
| SHA256 | 6f5c00ff213f3336dc077edb650b122be39b1248760fbabb8401c72cf13afa21 |
| SHA512 | 4b4437118ea4127d11097988ca4f1ac1e97bb846c47f43299685b47e690ea65f2a8c544763fee673b90a3a64d10d9a6179aca4c90d95329870975af53b62c9de |
C:\Users\Admin\AppData\Local\Temp\IooC.exe
| MD5 | 49949c52e32dd2c2c32ef9cc2328e588 |
| SHA1 | 8a4e99849528e9559ca7729e586a0fd989d4ed0a |
| SHA256 | ba9205d41f5d7c1c2e5eb836122a7ae6c001d070655cdb1aab65a1793ff5d7c2 |
| SHA512 | 64b378e7c82abec39b0dfe07446e813a91a196400b764d369a8c6299f119a2d48b0be36f921f08109ace6e65aa5fe63e3304d97837ad7107ad90fa5c975a65a1 |
C:\Users\Admin\AppData\Local\Temp\IkwO.exe
| MD5 | 7be5ce6e75fcdcfaf17ff4ebdaf7f15c |
| SHA1 | 17f12285a89c9c85b36096e3fd56baf2a27d3057 |
| SHA256 | 5c104e2262ca4d134100bee2fd4f6433dc47fff639721e5f0eb3a87b1e520952 |
| SHA512 | bbcf23ed7a376cbe310307a5e1945613d290ad65e18308c69b162e327bf51ee015c735fc581cba349c7cb25a010ce635b5e831df814d6f633bfbac7d00b30960 |
C:\Users\Admin\AppData\Local\Temp\oIcE.exe
| MD5 | ddc25563a750c801515a841f0337db9f |
| SHA1 | ce1698794c611a974252fa2269e4b40bd836fb50 |
| SHA256 | 246a5c370050f024a9d1c1366af197df3000bc737499126be6babe8c047104f6 |
| SHA512 | 74b8a34adf330272caa29279d648fe1b1b7e5bdd5bd73c0f5a98a7da5cc4120015954d12d5d089d021a1d8748569018ad57f98096959f36e9f8b8ba6338d65a2 |
C:\Users\Admin\AppData\Local\Temp\McYy.exe
| MD5 | 673d6d4991ed9721ab027f18aa5ba19e |
| SHA1 | d0ceab5b86b8c6e1aad97df968b139edc7a72b6c |
| SHA256 | 533ac08b3a12440534e351e15e597288138629b5147244b383b93899a6809b1b |
| SHA512 | aa60516ee011a281d460a4287e223b05477cb14e0a325e3b82c1f7e73e4c3e5a9df2a7ee653a17f61d4c947c49ff6a2648bb2e1029d0151048c3aabbbc7e7a9f |
C:\Users\Admin\AppData\Local\Temp\CoMa.exe
| MD5 | ce27a994d930f1d7a96424b235f942d0 |
| SHA1 | beba1a0399938be2937361d5443da20970fcdf6f |
| SHA256 | f850f1a346a72f0a9b583ecd4f609f2224ed80c1ad4b66e876d318b94874a4b6 |
| SHA512 | 68520baca22df06a6b42e02b2d8fd5ef8259d57532cddbb205919ce32d6fed4a7c1087c7f2d5b35520d2066f6d91f1cee54bb1c28e0e5b4db45a1fc422b82624 |
C:\Users\Admin\AppData\Local\Temp\UsYc.exe
| MD5 | 6d8ef50d66de878b1d8ad21ea7b6cb01 |
| SHA1 | 7d4b339f0866e812771a33bddb3849ddcd75b999 |
| SHA256 | 946cc93014744a4a1439080c020672613a59b60bf4afb49c1bd244fab4eb088a |
| SHA512 | b3366b7896f0382579d614a17d483e50821a7b36b410d4d8bf9e7682a42588f216d461ab4a241366de08966d55691335e6b3a9b5c8795a66c2eaeb8390518710 |
C:\Users\Admin\AppData\Local\Temp\MwsO.exe
| MD5 | bc736d5cdce5f17abf5e6a0a275a88c1 |
| SHA1 | 1b93e23771c011e8f88f80f253d7642918e294df |
| SHA256 | af13a9c74e64bf317995c954b323a04855cd0e1b957ba93fbcbc461e34a22f50 |
| SHA512 | 32e23cb3012f6f433cdde6913e64e2e3771e47c057f55e182d02a45f312d7acdf4122735c249219b2e21a2315bd3f533784ce470d06fdc517e569e3b2a43d9db |
C:\Users\Admin\AppData\Local\Temp\YsYQ.exe
| MD5 | 0c162e96dd1e93ff0611b2fd434b2a85 |
| SHA1 | 3450ecc646f534cb1d27046a5adc83d90431d2a6 |
| SHA256 | 9168cdb4154796ea5ff9f06222989333cacbc24f1eb59ad913ff501fd4f6279b |
| SHA512 | d2df7884dbb57d395a76be6cc8473280f3e4e55354d5fc88969fdaef405031890af7d028bfdfeae063a305e6f857a02c6d1fa4e65904afc57698bc4128f19810 |
C:\Users\Admin\AppData\Local\Temp\ekAy.exe
| MD5 | 49bb7fd3e17f472bebfbdf9a4a8d0bbc |
| SHA1 | b8ec90a23edabf4f76a6c3fdfe50e2c9c549adb0 |
| SHA256 | 827c28bb3143512c10ac5e7afe866a7d73725cff92582b687573f336d29be418 |
| SHA512 | 1d05c234f9820e7cd874d33385117e0de632d31dc9628981c6361307af3fb934200b7034ac6e3bafa311def72276a132cfc651bca9818c13ddcf6bfd64522abf |
C:\Users\Admin\AppData\Local\Temp\MEYW.exe
| MD5 | 53b8392e54e4206f0a0a37273d92cdb1 |
| SHA1 | ff06878522365b7acce0971176b061d9cbae7e84 |
| SHA256 | 2b0f0b2be5ca4c5f7a15d47807ddf567b484f80262b7a8d1e1ce5c3858b588c7 |
| SHA512 | c11177012168d5616618ba9e846c90cf23b14db34b2b186d5cac7d461fa23cfc2cff24025d43cc1e6180b98475fda43601e5aa348b5013d95e0c2681f7951ca9 |
C:\Users\Admin\AppData\Local\Temp\GAIw.exe
| MD5 | 9f7d014fc85eae9e86d8807fb94dae26 |
| SHA1 | 89869b6e6d2052418756879ee10be5e6dc845de7 |
| SHA256 | 23adf26c79251b42882c627c285664a97644efe24f2b4d3b0a7a579364ff1167 |
| SHA512 | 95c9f07ed5f9b59926e3d00f4e2ff71e04c79cba4f73f0342b144bc4394764b5d184d3df01076f01bfa31bd261fbd39b7f162e5d8122d1154cdeab999b9d8794 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\96.png.exe
| MD5 | 25c2a5bf05174996a80bc2eb779ca6db |
| SHA1 | a337a9482a02d534a898a265a9a2cbe6104ddfeb |
| SHA256 | b0bfd733d7c420d6ab187dbf825d32c3eb3a8979fd578748101d7a064121f61b |
| SHA512 | ac498db9f2839fa2a23352d0f7d74c40aed68346baada9c2563f446f0c3cf493169d9d8a6a4f2862faa48a0fb6de45d10764678d64478f77a49c1c04c007d44d |
C:\Users\Admin\AppData\Local\Temp\oMYo.exe
| MD5 | 35cd0eaf469768768562264a87b21502 |
| SHA1 | 3ff39de3d9ee84ae2740fc1c3c5ec16ef180560b |
| SHA256 | dedf6a7c66b6722cb5b5a223de9f7967138539afa5ca263fac62a0f654503fac |
| SHA512 | b09c81cf12d2b724c4f0c36d9898b7833179cbde32c3e429ce46917dff8002546e33f8d51ad4e19995043dd157d1d07cfdae0b80f6bb7d1046801c8afe6af5a2 |
C:\Users\Admin\AppData\Local\Temp\yAoW.exe
| MD5 | 04c50937ea9f6aa3264ec397806a9a4f |
| SHA1 | 27fec340c05d56bf2aaa4068c4aa3171a69ef18e |
| SHA256 | 47313c8a05444617ad3bd4fa4a5d6644d34d129c7d067c6e539b4e1e884eb862 |
| SHA512 | 797b7093dc2afc7f96cbbd9ea317a2c87b87d3e59f762e7747ffdd39b15f8a95b1b9e0ba8bb46cc017370feed7d9f136c3d0ddabfb8672cf6ba5fac9a24760aa |
C:\Users\Admin\AppData\Local\Temp\kQki.exe
| MD5 | 994f792309cc9e0f4f4765061154b3de |
| SHA1 | 951aea688d10d1d5fd0de85566d93bcb7455288d |
| SHA256 | 31dee757024e525c249d01ce9f3c1bf3b6d14d55509d49a305591d260c63fa60 |
| SHA512 | 7de3f2eafc240f4b8889de9a44f6184e9e2d0766ed5befd178ad17f8485d284a0e8c02053db5b6292372450cac260068172c1eea40bd02aee7ed5ff9bf685521 |
C:\Users\Admin\AppData\Local\Temp\SMwC.exe
| MD5 | ad153a59e35fa6980789284be635b553 |
| SHA1 | 1a3d2b5f2c07eae73f3cddc129c252ac89c140be |
| SHA256 | adf7cb3cb846424e69e9273b4b75308f40cc2571edcb31de7d16fc3034f29acb |
| SHA512 | 224067b3bc21c89102518c55b062df5034d8cee946761986a3e5435ac33bb7d717a62aabdd02d53effc2204f508fefef1413de21a82dfbe628b52f59e57c828b |
C:\Users\Admin\AppData\Local\Temp\AgEC.exe
| MD5 | a5c42e1b84693d4c604a22707ec65377 |
| SHA1 | 23de0781b1fc1faa764c92db1aa7ce556f294c76 |
| SHA256 | c2e7ad867ec25d3885dbeb2b505f4e5b4ea847ccfac6ec8c0aed68f668e040b7 |
| SHA512 | fbdaff2dc76da5deca974cdeb6f426d76797d732056328927f64ce0437807cbd61294e34c29643849c7138f06f59e22921966472c7a802290acf64cab6be207b |
C:\Users\Admin\AppData\Local\Temp\GQUQ.exe
| MD5 | 610d4de76c4f4aa0b92f2856264da304 |
| SHA1 | 66e78816b2e1129cf348093e1cdf23067426d35a |
| SHA256 | 6596c8dcd7c71f4832494e1f4e81259fa6e3caa7d418bf85f68632334d04442b |
| SHA512 | 153b50f0e17b30335983d7dbc628c53ae9b7b827fa5dde38e2bfddec2e77cdf0dd045d7b37dda614908391c05c7b18ab3734e19b9858c29145bd5c966d8028a5 |
C:\Users\Admin\AppData\Local\Temp\MMIe.exe
| MD5 | 32af6e59e3a2a7b018d273dc1f3ade1a |
| SHA1 | 81a04cac02817a5a431f44c2b7dc3f695187077e |
| SHA256 | 3ccfef44d00253e6550dd5584187dfaa91d54e7a03311c02c7b42cd34e6363c6 |
| SHA512 | 03b6d3f9caefce712ed2a7f70bd67e1afc2a9c57f7dfda5dd5cc58f42500bc230445ba7006df39cdfaafb4443aa432b43d28ef25b2b967acdf57516abbe52608 |
C:\Users\Admin\AppData\Local\Temp\CMQW.exe
| MD5 | 0c3316c0fccbb0754be5ed0ef16a2a7a |
| SHA1 | b008098b14be70c12db108723c0edbbdf325a38e |
| SHA256 | 90e12b50a3c8ce8e73356b9d091bc686b85c728a1227e9f3dd6b0bbe81007854 |
| SHA512 | 01ac2ccff5cc790b4ed511e6765af9382f4a1b043a4a26271608d75ee76e009043cc65934e9a52cc4d29814f5a9a0a6e601c8e820b6b60b67b8c388eb0607ff9 |
C:\Users\Admin\AppData\Local\Temp\KkQU.exe
| MD5 | 3e246425db73f7e3ed3e4ebae8729eed |
| SHA1 | 6496034dc3261d57679c14ec6787466ee0dcd675 |
| SHA256 | 4e913cf22091b31fb4b27c5201534c0b0aa990876bec1bd4d23a23f8bb7ea0fb |
| SHA512 | c8c1c28acc368860591d60eba8c4762d2b0723154520ef0e640d6ad1a806b67a8bd3710eb9e1ea2890f7d2cb08afc2f0f10be8a3f8fb857a65df9e997d68aa53 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
| MD5 | a24e226c3f79c9f752e8179b5ed8ce3a |
| SHA1 | f81eae02464f8428d3161a8b0b46c58ac65ef2c4 |
| SHA256 | f16c4d5cb6a84659b6ae7414061956723dd970d2cbb2f905fedd952f9dcb2d8e |
| SHA512 | a84a31b1c5809fe7246b413505070328f872c9328df9b6cc6c6269649c06237249de904a46c19115f331d4e054231be0dd05d1fc8cb6b130864223207fc1d3e6 |
C:\Users\Admin\AppData\Local\Temp\SUAK.exe
| MD5 | 7e73a1361575d6e3c12f22375530df81 |
| SHA1 | b64f04077b4a80037ec59b3eb99920925057de8b |
| SHA256 | 4852a1bf75dfd391045352ae19e65168c9f65c18a10619ab65a915f32b3eeae5 |
| SHA512 | 1a004b670c2e65dfb405fc86865a7f8429c354f28626196cb27f512cd91f1f3f1262cf6d182f17f18cf8eab7191a850b6b44069bb74238aeed358b8c71cfd30a |
C:\Users\Admin\AppData\Local\Temp\wUMq.exe
| MD5 | 32c1b9d69ea7acfdaedfa4f86e741005 |
| SHA1 | 86318a70e07a2929c98914be4d3644612a8cda24 |
| SHA256 | 08eb1ddfda5a3cd22f0c32d75f4060bd07780eea9327914bf5c987589a894c48 |
| SHA512 | 76fdae8f8533f747805f9446dcbb5ce100787d126c63a2f25692d3157085ce2077727939ac800949ce5a4555354f4a13656ea1759f30f17a5eeba4909e43624d |
C:\Users\Admin\AppData\Local\Temp\ekoK.exe
| MD5 | 97746c6807dd31248b8925d1df0a83b3 |
| SHA1 | 98c632e7426e7cff179410f09b20624e90a8ff51 |
| SHA256 | e26f20c6802b99eb89a19c3406e96c9d449a61d3422880bf699e64e72ff8b28b |
| SHA512 | 8dcfa21936b08ab99742062064a818abd1aae4f47f7c5faa735d3c570b937712e7001d2104f88752762fe7937066040b35cb2caa60fefe0fe2f8bd342e9d95bd |
C:\Users\Admin\AppData\Local\Temp\GEEY.exe
| MD5 | 4550994066d890ff0286001800c17e33 |
| SHA1 | 6a18973ad72b8a8a972b1e9a70d55a61fbc4114e |
| SHA256 | 87c94b364297cf53015ce5aa7c8bfb24493cdc3c3ed41f6ebe0d483c2cea4c9e |
| SHA512 | ac6e66f57ca62da89735c8584e80f53ad90da7673f6a2be330fcdf74e6a574c17ffc28ceed8117c88e9562e42d91ff34b03c80958b406d831628cd5b3c70397d |
C:\Users\Admin\AppData\Local\Temp\Moom.exe
| MD5 | 5917f550f6bf64062700e4e4f78bde6a |
| SHA1 | 335c3f61d3da044475b58a9ba72d447417fb3812 |
| SHA256 | 4b8a27dbeb0b2c26da76924e41e0318772a92e2d38dd8df7316c457f27d33ddb |
| SHA512 | 50b7f3f6952b4fb0098f1c38920623516d9f0002b388de0d36c1b72b6c7714db9eda16c7a49f2b79f7456ee5d43dadef40bab9be6f283351b0af26ae8b872170 |
C:\Users\Admin\AppData\Local\Temp\ksIk.exe
| MD5 | b0203c7f05a9c5b674d958c3b8cfc970 |
| SHA1 | d079e6e251cfc3b22f411c297bf2f69c643eee88 |
| SHA256 | 4930bf7552892d01c63328af2a67e05893a1b5e6d84dbfea59e4a4137717bfeb |
| SHA512 | 3de86335a7d93049361e840c8b7a61bc65472d0fe823e83e74ca5fbb5479e1ec4f643e7af5df90e1630c12dd2c8129f26aaac2b2189497245749ed32de167935 |
C:\Users\Admin\AppData\Local\Temp\oUIs.exe
| MD5 | 1e4146924efde7bd5f50f45c5d430cb4 |
| SHA1 | d8a7118ad24d6a467594575d5212f8afdd8ddc13 |
| SHA256 | 546b5bd77bd04b251d29a76fa369f463def8dd54cd8f477e91be3c3ea4f8da6a |
| SHA512 | 62032a3ba3a527006212ed251d8717a05d0c98871b656267c4d6676e877e01f7c013484a7fec5fc3f6084bdc3ffa561d57c9bcdc79cfcb1d7c8a667f5723c36a |
C:\Users\Admin\AppData\Local\Temp\CUce.exe
| MD5 | 81f9b1dbf26a84bb9fb7a448e6d654c6 |
| SHA1 | 9d73f42c0ffb5de54e4a293cd9d1d95179229072 |
| SHA256 | 631f5c76738a78ef61fd157d2107ded4559242de1f0ba4e400709b40e81eed31 |
| SHA512 | 48ec483b0e55e7167f0b67724aa32e5c0e3932c74fbbb79244442f511fa940fb5c781ff250dc0432301ba2cea0832f06bf8861fd426680e9c26ff2072ef6144a |
C:\Users\Admin\AppData\Local\Temp\wsQk.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\kAwM.exe
| MD5 | 5445018172521fa2f5aa496edd9c0e68 |
| SHA1 | e929b39c3ab1a9c9c18c80fdb6a4e8435bd71644 |
| SHA256 | e6df692e7a16dee3bccab344d2bb909d0fde08c9f8a7ba33a957b688a2875179 |
| SHA512 | 3cfc40fd1d305effc7f774c0b47bba480263d21f1b8323c3a90fad2920585e1bc5cf4dc633256cb8a5ebf1d6afff3b34ca63e74bbabdaaadf909142215801323 |
C:\Users\Admin\AppData\Local\Temp\OIMi.exe
| MD5 | 4440bada4c6ec28297ab766d71454401 |
| SHA1 | b8aa1003fc44d413c0d398dd1e2a84c67bcaf6f4 |
| SHA256 | 687fc53778a95ee892c4a1163347eb6df7e4a2e211a48736cc1b2524591ffb1d |
| SHA512 | 58a9a5cc071cc02ce1929a062aea8c859048fafb95c1558abcc672c3add3d0c766581ca63e4b018df75803e47fc2a682fa93280a3d9210d0bc88ad5789153e36 |
C:\Users\Admin\AppData\Local\Temp\ukwM.exe
| MD5 | 0d52b393e144dc09a5c0784fdd09713a |
| SHA1 | 76fb19cd18b3c82955651293cf4ea45d01054fbf |
| SHA256 | 4b468f1535cab3c5e17c9962f31eb4fcd70d41b2f77eda778023a950ca3beded |
| SHA512 | 1f12b9cb36e63ef7181a285801d5f643f5a05e275c4dda5c88136a843eb3eb512639950342098c24d56b4116100725cd045b0b845b5debda4d10ce6fa0ace77d |
C:\Users\Admin\AppData\Local\Temp\mAUg.exe
| MD5 | bfbb02c9b84bc75b144722b3c7951bd9 |
| SHA1 | 9468b17fcf6e2821505e762887d8583d40d3ce68 |
| SHA256 | 2203548b32cdb3cd89635424d9e9d340152234c25892a58e4d4f2f434115345c |
| SHA512 | 71216c30e7f6c401975cce4b3b1e173262d91766a25c5a57a17c21323eb1be4c4ba1a17b055a599ee6cd5157217a00f86dab8c629fd61fdee0daffb7298b5951 |
C:\Users\Admin\AppData\Local\Temp\ioki.exe
| MD5 | 22e31fb64978d38ef56a7f6872f37cdf |
| SHA1 | dc573ed255fee58217f88980ad0e04e08b1e863b |
| SHA256 | fe54342191cb641ac459d0b857891820ff1548ed739d2b74c6a82bae3d0c8a1a |
| SHA512 | b3251b1dc02035e125e58b6db47f0f4902f5f4e090b59cafe890c76cbd28589804365e5fe4ad25e1dae9b0649d595633998a8090a9d32fe1463de1c8d08eefc5 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
| MD5 | f0e4e0fdd9ad00bb1d9247226750df33 |
| SHA1 | d7fbe47a563fe8ecd960f30feffc34ce0114381f |
| SHA256 | 7095786d98c03a694f68eac79c90f2e9ef87f09c46f7ec09be85763171eac0a9 |
| SHA512 | bbf4bd3df71842bc106c8ceeb7ec075b5684f51c9c9d96009dfc5efc16936b2ecb01a2701e51d1bb59b74e6b029095a9ab33716ecf5bc8076fe264d52fc897af |
C:\Users\Admin\AppData\Local\Temp\Uwcq.exe
| MD5 | fa4ff90661fcf723c6fe07a36d90924b |
| SHA1 | a309b99fec9daa86c4cce1d554a88dca888b7593 |
| SHA256 | 284d42970482002fe2d1568ea7205ae8798e35b7586e999888a0cb275989e477 |
| SHA512 | 7bc8ce9e39623c695bff8a688ed6334536425f1b214bdecd1321c7daa1bebd4119c2ede2a9adc296470f70028a9acd3ab65c3a39eacff1981a39a5056a095e1a |
C:\Users\Admin\AppData\Local\Temp\Eowo.exe
| MD5 | 21a97d5f365380e70a9c6db7fe80c333 |
| SHA1 | f10f2ff2a90329d917faa602c243422068f900ae |
| SHA256 | d9c527965528fb57b1fbf6aeddb8b258c0dacc3eeb684389e049e05126aaf7a0 |
| SHA512 | 1c23e88a34a7c6f1545fa5f8ea88476a979fb2c55b1fc991e8f7cf0b6619d3b627125b040f86528c9c5590012f6c03394897cfbc3a23d93691d09c67088faf25 |
C:\Users\Admin\AppData\Local\Temp\UcMU.exe
| MD5 | 150748a5147279af3c49b145d5309785 |
| SHA1 | 8248c756b95e01bb00b939541921166238adf673 |
| SHA256 | 57bc764b7936670e392b7cd7c1c210dbb44bcdf071741002aebb2cf3416cb807 |
| SHA512 | 9b563acff2f84cc4058be4b904a39b3110e2df36487353225d47b1522390799bd29ec495aa73a077a110645af51c6a5fe783c6ae0aeec38d1c0511472e6a2f82 |
C:\Users\Admin\AppData\Local\Temp\OUQK.exe
| MD5 | ced903d864fe4f0309b5c81085d5bd26 |
| SHA1 | c67938d93c4e04f8c0ef557fb63bba3f305c620c |
| SHA256 | 4f7afb255456014eabfe83c8c642103cfaf3ba9576121b21b08f13c03587edee |
| SHA512 | 64660cb03231887d936a7f451cc5ff5b018009053c0c67726e1d12cd28489489d46e5650838a78db514902f21818bddc9ba990ad8fdb7b6a280166e9505ef30b |
C:\Users\Admin\AppData\Local\Temp\AgIS.exe
| MD5 | 5d4b54db3f206ae402260f2d5cd78b95 |
| SHA1 | 4ede083ff562d81953fe766dd0838b9fb5eb9443 |
| SHA256 | 253567e66881ee822042e2a2829302181afeec9843e424fa4724144bf5d72c3f |
| SHA512 | cde128baefa3f398dacbdedc3280e904542750c1295e4d72ded2402899287d0dab5f4474676608302fe2d22377ac09b776364dfe8299b92d8b9a834e50f29530 |
C:\Users\Admin\AppData\Local\Temp\WIIq.exe
| MD5 | c083616920a1c824341f982a4f26d1fd |
| SHA1 | 52f9b0e8527d382ccac8d75df22b41240fc09f2a |
| SHA256 | 8807c60feb279c10851402d622f552ea4cb5e6ce16e103414a4d8d7111a11aa1 |
| SHA512 | 82a1c63373a115751b96cebf2e0b5e6b075bbeca0b840a737669ff24a943506417cb1f46081866d1d9fdc9fcdd03290a8327173ae4ea2cc7d2f4b4a657e6957f |
C:\Users\Admin\AppData\Local\Temp\ucAe.exe
| MD5 | 71226baf9d366a1fffb63e6c6a9c08a5 |
| SHA1 | d51311cb0b70d0466306f9c7a5e0b88c1802bcf1 |
| SHA256 | c069fd90842b8729ac1e7933ca5e34edfec069abeb7aa7547d1e10b947c5bb71 |
| SHA512 | 503e43e6e3d28fe022c2d88aae2f3248800931e5d5ab5cdc21ea4c4708056b7a85f05d3572f826f4f126fcf250cc7aa3c1792b8c5d1f1e604263e26dfc9bebfd |
C:\Users\Admin\AppData\Local\Temp\MUwW.exe
| MD5 | 2eb05149b697f1c602582a6aaeec51c1 |
| SHA1 | a2359ecc0ab9003340a5c8544501f099d431e615 |
| SHA256 | 4451409e43e67f1187317cb6e26d6644754c5c79358266e248971f64b4a30cda |
| SHA512 | 2a8deecd33b78ba8dbef53aa9b1a84bad4594019b8741347fde25cd720989367d80ef8b1bc9c9505f4b63e470f83dbc5209349df3e8afb3e622df610dcaa1b53 |
C:\Users\Admin\AppData\Local\Temp\kEkq.exe
| MD5 | 68aa3432009dd9095ec1f34ae5c0b9cc |
| SHA1 | 352971de8478c1049da8d6ec7ddd5fd4d79c18c5 |
| SHA256 | 886fd2bf785bda85a77a24bfc298c93bdbf150215bacfb87e8585eaf04b7d713 |
| SHA512 | 791734c8c59c56e95adf08f4f2985629dda70f4ccaf4d382b3ce172b33bd072ef02bff2097f039c9bb89974c5ded8dfbd2214e551a0454736ce9fcd63333e8a2 |
C:\Users\Admin\AppData\Local\Temp\SUkA.exe
| MD5 | 6d0968d96eac86d1f17fab5f4bcbe4fb |
| SHA1 | d02c5829ed1dea2ff6fa86488ab9438fe88691ae |
| SHA256 | f7eea22eefd02b908b377374a120de6af776260784e522b90d78867f8b63a0f8 |
| SHA512 | 06eccd8434d7076fc93e2445c2a4c22281a8efc6ae2651b463921c8ffba015ec018261d1afadcaea0423831a398ee3d567423e4be577a04901b6f7111ec2676e |
C:\Users\Admin\AppData\Local\Temp\qAwm.exe
| MD5 | 9459e228ed5d43506c275df922b7d4db |
| SHA1 | 84c380003a13733e752a164bb3b24a0e3af99e7e |
| SHA256 | 0ad879c2670da3f0aadadfd7373473f7a9e3229e0c11ad110eb0dc0bab2d7f26 |
| SHA512 | 95a3903b39190f95d3eadd59b3bed4c09e4102380c2154eeb054dc8b098568f29f923171d64d98f962069570feb65e231fbdf9f2d1b7a1a3141610814c503c20 |
C:\Users\Admin\AppData\Local\Temp\ygAq.exe
| MD5 | 7a122b7e3f92cbfbd3aa5e98728a6409 |
| SHA1 | 684f2f59163673cdc2bf41e996947561cd53556d |
| SHA256 | 463473c93ffd7070b3cc30e4074859aa7dc2b6725ea0d1e2fd58254c11a8b671 |
| SHA512 | 9bbe006eb1c552b15e78ff11ebb79c3dcb873e5c5d0788c0d0235fb83bdace7b4ce8d800ecf73de4b72343217a3597321f7f50c2492eceaf71dbfd4177bba37c |
C:\Users\Admin\AppData\Local\Temp\mAwK.ico
| MD5 | a35ccd5e8ca502cf8197c1a4d25fdce0 |
| SHA1 | a5d177f7dbffbfb75187637ae65d83e201b61b2d |
| SHA256 | 135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715 |
| SHA512 | b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636 |
C:\Users\Admin\AppData\Local\Temp\KsMK.exe
| MD5 | 821b828cc9096baef3f28ed2ed0f3f7c |
| SHA1 | 6b87e8350f76ba8f9e02b1d9c9025d272b34dc85 |
| SHA256 | 5910d39c5c19df1bcc3836cf1a54fd67b61fedc7fbc73e124053b70cd8aca59c |
| SHA512 | e62b0d7649598333a5d2566eb8b8e14a55daf75efb3456950e22077e0054fa71897002b5e50e033127ac299282ddf7e4bcae53a4883488ad06d7b3103e40d306 |
C:\Users\Admin\AppData\Local\Temp\KoMY.exe
| MD5 | 601814f95afae87dda70cfa043add019 |
| SHA1 | c1b7521c348e4621ab25502ef56f05a4ad380347 |
| SHA256 | 4cfd7316a52fcb581d21ab9668a56dd3f8890b9c90a10bd78f5a71dd8dac0f44 |
| SHA512 | eb3b8388c9c7ec896ff5942427030d48b224a23646eea29523d5ba523a5dd1ee132c8bfe5e1d7741ee50531334e2bc510cbc32533409dff37fd81a3d8d979255 |
C:\Users\Admin\AppData\Local\Temp\qsAO.exe
| MD5 | c9988553b6595c6a06c4e3bef5280bdb |
| SHA1 | 0590a85763fb88841fd45247f45662c531dbcfef |
| SHA256 | 8bb35ae5b9500f3a9eec2c1849cc6b3e5bfebf86c2884aacc407927433fbc8a6 |
| SHA512 | 9f9ea638dccf40562ab574934d4d735c47292dceaef470791328d571c1ff54ab36984e83da922904f371017b54929050b58d2f8c1c7703d2eb7d2a9e612beb92 |
C:\Users\Admin\AppData\Local\Temp\akkg.exe
| MD5 | c6e129208802e8b88fae38ad35488e4e |
| SHA1 | 5d859cfc621915637d86229f72a59c91439a97e0 |
| SHA256 | c1b2f74b30f64a9d3add19eea90c8068239435468c74e433e1dcdddd326e80b1 |
| SHA512 | d2d082c753c323566cec81d8d5875392ebfbe8938ca68d723ccc19e55b336bfda2ed9a51fe7232cf15b27473b21db2ba5b76577b5c02a2ddcc09408d4675b1aa |
C:\Users\Admin\AppData\Local\Temp\wYAm.exe
| MD5 | 561d29a7d4381bd392f8aed9b4e7665c |
| SHA1 | b67213c8f9aa85ce69ca16c1648a4f83abc6e0b9 |
| SHA256 | af43c3ae782713b501637efc368ab4c3bdb00acd1ed0bd09caaac98acb670614 |
| SHA512 | 0241cdcda4fb4268740d744ac02772699393d8021b0ec8e26ea2e5ef1419df601b456cf6cd60223692fe565944295b51aad2614eaa1c9de72f688add1c1dc37e |
C:\Users\Admin\AppData\Local\Temp\Cowy.exe
| MD5 | d5d242512c6ffe538af8f24fc3f6b67b |
| SHA1 | fd0d4756ab838b51ac6b7ff958a118171a6e27d2 |
| SHA256 | f80c96bfce24fef4294ffe28767f6a82644c9ffe16a0813f311d2926a42e3f62 |
| SHA512 | c62453cb3be1a14a750ef390e99a1c61bd859fd293c142b53e18bffbdf36436f80fefb15be0ee5e72a8e8c24c505da6bf2b5dd753c13b66f49e67b7584f2885a |
C:\Users\Admin\AppData\Local\Temp\owsA.exe
| MD5 | 1e12856d063d6b42f236e65f0af930e1 |
| SHA1 | abf1cee0536b720b7e56e33fd8e75f46397c2aa6 |
| SHA256 | e51e16e34fb8f4f2ecaa59ba863639db2c4c140c31e7ad5198c830a335846e09 |
| SHA512 | ba7580902e23606650dfc405b618a11c1f7defe1d86bdc1e58dc4bac694511fae7205592001228d48828c71eb2b017716dd5c1cf7f409c25681bcc448ebdaa3c |
C:\Users\Admin\AppData\Local\Temp\sIMM.exe
| MD5 | 25019b066583c7992dd44aef72836683 |
| SHA1 | 63ca355580344eb5363a44b31424bb76de5a801f |
| SHA256 | 7f4f295a2b55fefc96f9256b7eba68f955aa52b8117f76b96110a31839aa9130 |
| SHA512 | d7a9ed016f26e9682d7d14374feaa701d8324bd4a7e2aa4d56f511b237ec21176a49832f4ca2bb2aa45b4f4b7bbd6a5a634bf388d72f21b4254ca48ff828fb0a |
C:\Users\Admin\AppData\Local\Temp\YgQi.exe
| MD5 | 8186e262c15330fb07ef4d9290d2082d |
| SHA1 | 11a8d8502467fe61af2dfaa958bec57e0c261616 |
| SHA256 | c70f8096fe05d468d2d6721dd932b05378efd8eaec04286a19c72e54c7a1931e |
| SHA512 | 818da4e8daac8088ad2bdeeb2fb64a8ec66fa9dab9d14f5ef8a94f366b621f1b3384d19b86acdd45276d9f0489db076945118364ee2d9a4efd55adf3e0fd2516 |
C:\Users\Admin\AppData\Local\Temp\mAks.exe
| MD5 | 22e352a1a3bc329e1d643166a5f11d07 |
| SHA1 | 3a6fd9edce828b6deb216fd530ad3a8f3d3afad8 |
| SHA256 | 541953bef5559e4b99bac0edda5a17ae9057239444f33c4496c6fcd4c36f9abe |
| SHA512 | b47db510cde9b3103f19d43caf7a91f71f5d2d3393e27e7a6f0060bca03c33f84719cd20dadf463de6267e947fd5de574e24c5e2cdc0cda32353681aa0c5606d |
C:\Users\Admin\AppData\Local\Temp\qMUm.exe
| MD5 | 553a34ee953b1356bc7b416dff39fbc2 |
| SHA1 | 8d6fa55409ab1ab1de4e6d4e6f98710246354795 |
| SHA256 | 28a6039bced4c82d9f671cd89324e3affcf99fe16fc662e711d66a149dd91370 |
| SHA512 | 9ebc6d4e002e3f4279ce2f25c41101da56fb48122157cad0f8c682a37e039741aac547626fc1ba70f425b19654c9a7e32ab3a0881f5e4979e8380fcbff00ba9b |
C:\Users\Admin\AppData\Local\Temp\aEsM.exe
| MD5 | b300f95f9e2ff9d94f3eba5ebb991d46 |
| SHA1 | cf348b448aadedd658fdf8eaa0e89fb6910ba086 |
| SHA256 | dea447c3d99155df921fb7e2b985bd846cf8dcad0a6a4ccacaec957fa9cd0fe0 |
| SHA512 | 0bf9fd1daac801289fd9c3a15de4bf870158d6181d86b464b6bf8dc3da016c195b6a26d62cb76a70cfbe03ded155de57497d1ca93094b95ce63167df78838dd8 |
C:\Users\Admin\AppData\Local\Temp\IIsg.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\OsII.exe
| MD5 | f6f0173f9d278f8c0424993e8f8db975 |
| SHA1 | 708a83118df53ff411eeb39231dc62c78962bdfe |
| SHA256 | 6441c8ed217386796b7c646322a6c4a9a277386d1d25406c097caa253453240e |
| SHA512 | 37c684c07343e248357ae7d62bb9b344a2b27357ef383999825b7a0a1b0a7c8b6246054cf0d576350b62c310dbeced83dd52680e01fc3b6e11ff38ba40aab679 |
C:\Users\Admin\AppData\Local\Temp\AUEK.exe
| MD5 | 2bdad8fe562303a42945babd021ed64d |
| SHA1 | 116a4adf0bba195f3d930aebe1f12fa73aa65f60 |
| SHA256 | 7d811e5980bd4c6900dcbf1f5f21d65bbcdc102fd6b69e74ba0ee4a18417bbad |
| SHA512 | 5c0daa96b611d978d38b9d19ff688e3d7379f28e4ede0b7f9e790e35a078a92ad8ae53d54a1e02ab0f8ab9b2bb664a05297d016abbafb00931159dd15c3eea5a |
C:\Users\Admin\AppData\Local\Temp\WIME.exe
| MD5 | 348b0d165f72a2ccf321aaeaede11b4f |
| SHA1 | 020c80e1c5e94c0d472c83c73ce10ce0799252bb |
| SHA256 | 105ab79990d391e862be59bedf8abf3944db7c4006a4e7b1340bf26ff60c2d1c |
| SHA512 | 9049a17cced95c3386ce77c7d02a4a061c3b34b28147593f8b829d51d35c0de2dbab7084b19679afb87d56c7267fb5f6ef1844bb41b51a502241d2fdb744c8f7 |
C:\Users\Admin\AppData\Local\Temp\GEEO.exe
| MD5 | 589be36fff1904878c479e9e9bbd0568 |
| SHA1 | 7d96859ef1b9dfe205ea03089f0be39773fcd49f |
| SHA256 | 797037d0d8ded9964ce5dcd047945ed1d05ffc2eae1bdb49935c5705a3530c1a |
| SHA512 | f610afae35096214ba6939e70f06e4db750aa772dffbdc45d0e9671288d74597e4c605f7ca4edc5c6814ff29cdbdba7a8ba0e40c06cbc4d40e2a540b46199edf |
C:\Users\Admin\AppData\Local\Temp\qsYk.exe
| MD5 | e03dbc3875e457dc4b0cefa8a9cb4c01 |
| SHA1 | 4fe29c83a9612dd81867afcd713a4136c6dcbc74 |
| SHA256 | 6ed0d15f78f4d5d4752f84f290b81fd7e64d86385ae7389c6ba8e0a203460516 |
| SHA512 | c9abc049cf5a7ffa6ea1a8d72aab9949edff0e8e4b0a0c82ce8b3b3ce0bd8b8206f3ef14b50695601bc11b6b59c4691453a0051f0edf2c01ad11a8f9335a6f84 |
C:\Users\Admin\AppData\Local\Temp\egQU.exe
| MD5 | df07998b80ba5bddd566a80062cb0406 |
| SHA1 | c400eb6ef6be630d9c96d20e5cfee36df3a92620 |
| SHA256 | f5cbb6d9aab3b108ad94406fbf8e7de400d943c69008e30cffe7fe09e19f248e |
| SHA512 | d44bc6bcaab48199fa40c7a664126b261a239d8bf4e11de80d407f73f14602f845807784d7164fe8bc758a0c99a1352c4d357e338dc280817aa097f4b89a8740 |
C:\Users\Admin\AppData\Local\Temp\YAIM.exe
| MD5 | c39198becf44114472a0d4d0d0f8b16a |
| SHA1 | a0086e347e7335d0d632160ea9d2719fd6372f8b |
| SHA256 | 7e2fa2c92ddac837e54820e45589411fce77808cb29fd2a4259c69123b65d249 |
| SHA512 | bfb7ecf3eaa564401cdc3512c74edf4a3a4e1caecffee7a95703726cc87687829c45cd75fd56ce74e9d7f398fa4b8a7a58b02907249bfce69db036e4788f6680 |
C:\Users\Admin\AppData\Local\Temp\YgUm.exe
| MD5 | 9695b34c6643a64f4f1737b5eac6a6c8 |
| SHA1 | b85b4fb89ac5081d99ebb38dddb6fbe70b137db9 |
| SHA256 | 1b75561c5aad9f64df45ab8ed19d8d82f008c5aacab24be24374a6210da269fb |
| SHA512 | cd726b9ada5e274fba50ed2d8d279eab8a60ab85daf60a191a2a4209b8a0a5cc28fedc8f9f0b40615ee2860272ac707b76fff9d763736d873632be1aed120ffa |
C:\Users\Admin\AppData\Local\Temp\mcgY.exe
| MD5 | f3bb383ab45b48d0e5423a2168ad544f |
| SHA1 | a4c63d1f41cf61882c1aa32fcf68a6645b03b15e |
| SHA256 | 8b632e505a4ffdde7da8cf366298bfc9608aa9a1c659ecae049b920c1056d8f7 |
| SHA512 | 253466b9ccb2fcd2146c8c722a52ae60ce383dc766dc8f0d810d22b9ecb92be3b8812611bb996e271214c58542c457487cf1f5e536c64e4fd460f38db8060849 |
C:\Users\Admin\AppData\Local\Temp\aYgo.exe
| MD5 | 1d83478095c0f8363f477784d4dc03ef |
| SHA1 | 32e1d537db708e817c082d2bcd1a582038440121 |
| SHA256 | 37595ba50c9d7ca1276df1126e81170b9af77b2d6fd6a78e27d7f85a1d25a338 |
| SHA512 | ae8acfd9a571725dcdf812818e2000f1b764566f6026e2e211462d6689e8b7496c557f70d2d950f825b24f8f1e5b73a40a839f82bf26f3980920a5173a3745a0 |
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf
| MD5 | cb2186de9a20b68e1ab84735d9a8ef73 |
| SHA1 | 4e52a8bebdf0713c16ac2f21337835533fbb59b0 |
| SHA256 | 137073fa3a820396c416c6645dfdd7644d4ee4c064005a5d55d36efc4d6c816d |
| SHA512 | 24ad1594c448e4fe5fc775725095c4fad3265c922978a8832327a29e322275f27e336354f5fc7998592eb0ea9c6ba3e9f349738f1b25b5316a85c200fbd5e37f |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | ebfcd97c1bca03ff174172717b4070d7 |
| SHA1 | 08cdfb32fcc73235f8b9595171370935cab19146 |
| SHA256 | 33112093bc11b8464c2c8ea22c1204518c24a9b54f1ae081ceb1289226d9b99f |
| SHA512 | ff00034e3ae41188231c5b2b115a9d09635385b6e4ae1faeabea912020cac004779249039cee31ca9cf1c06e0a7f58437d06f444e5ea1bd6ee71b36edbd44767 |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | 395d7116ff0a280c18443bf9efe89b31 |
| SHA1 | 8af7b1a715c6d287cc67fb4bfc95c32e85d194b5 |
| SHA256 | 23fe64bc41b771d9bd9227b4c9cba5e4b1505867f68401517be0bd85a2e5695a |
| SHA512 | ca867851183d83e848bb3e9787878339ba9bb2c88574c22fc210a4d00892dc7f9f2b960e604cf50a44703cc7f74842e4580bf164f629379e5bfae598804ffeb2 |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | 673df1e460c72da04a63105c0eafd126 |
| SHA1 | 142b0b44f0584f847d3e5f76409fa8d6dc29a32f |
| SHA256 | ff43ef42f7d8ba20d5b2f85724a3e69d923b56fb219eb77a0ae321e0ba5cdc3e |
| SHA512 | 8ba2c917908b1848ff49780359d84795bf5dd14f986f8f13cf55019fb1a55b2065c7a63328ee6e9961a40d24b5bd84b5ab46b1c6b3dd2e59dda68ffec323f36f |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | b2c511c3fd2804b4f707043a559c7050 |
| SHA1 | b2ea5f180e7162cf71c026526cb49e850ca745dc |
| SHA256 | fda3fefa17f9f667fff08e7f691da217409375c766e2997b3cce6d74b94243f3 |
| SHA512 | 30d540e7c717d474bf3b95a2842b44b197bbb27ab09514d404052027b61897f953e08553d18d2c27cf92990e27a1a4309c5f17030fd963e525a13ece176cd84a |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | 64435a039dd860af88b5fec9f777dfe4 |
| SHA1 | 671301174d3c7bf13e658cbe81caf9a8da433483 |
| SHA256 | cc2ed501f69bfb9ea58cfa4b746e804137d8b89726197063216dbd6f5246dbf7 |
| SHA512 | 6f057dcf52d813fbc422510b26e7101117dd3f9e0fcc60905716b64bb8e368418e6b9a2685dc8e04f26bb622415b51567b49da4385709de3e56a61002240457c |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | ad0a84a24d629346241c8262d7e16d52 |
| SHA1 | 1f626235bae3fa05ca7c85e7212d7de7ecd25d21 |
| SHA256 | 2b552f0177fb0dcbe34b69ec10032952ef17bd02329be606fea3e36f0100d1f9 |
| SHA512 | a1d963a89da8eb81e5eff496232a5e508a644ab1d38a87a66d646d69a8ed95a1efa61dedc65d8e8833484b688b4e096a4bbf5447318e32ebc07adb42012db5e6 |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | 0e8e1e97f3cd91582983d7379dc60cd4 |
| SHA1 | b4aa0b38c590305a9ab62876668f5bc0cba51079 |
| SHA256 | 1ad6d8d618a7e3b7cba2301d661bb4800af32438a0e227cba6750b5f6ec54804 |
| SHA512 | b141c84adccc3e22a2a978907dc79f8e1eac41af4183f27399efdae582e2be094b10cde3ab2944e951da3c316a879c10354015b68ca32b5aa7c9f034b847184a |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | 3380eb1defd241ee6bb8cff5c5832d25 |
| SHA1 | 279f1d93b27d6e5a5e7cfcff38df1ec1a76fb064 |
| SHA256 | c3858ad5f0f7003cf09e71790f2d584e377ad9ec5b9bc592afb9a43637aac906 |
| SHA512 | 6f74c4abba34e00bce484f04ef22c27a037b4ed70680655c01d043d28b1f963339da90365213bc7604ac73515f9fb1a45baa2efea5f4687ae10d63a6001c7695 |
C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf
| MD5 | d74b4f3787a1f9382ebf5fdf9bb17880 |
| SHA1 | 430963398c558fc5e669edf0b83b67713c21271c |
| SHA256 | a5af2fdf8d0470146cd36259c037f8699590eb813cd1875d62a1208dc7d52a7a |
| SHA512 | d2bf0c0d32a4f9b4f961153f30a7bb007d000438937f2fd8c6fcd5409979bc6d6372d96c2cd297ccdcb145173a84790cfb0e7a12a7fa06e5f7ab3df28f8243a9 |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | 40cdea3ea1e9569ffdba2f7f16185308 |
| SHA1 | cffafb58d26d700e72d1be702835e6d486a8d05c |
| SHA256 | 7a8bebf87364be68f0797e2bd5ca0c0e07aae875ebcfd521f69f522e4c2120d8 |
| SHA512 | 8df0932ac63318cdd2ba94f5fb5a4ac442d2acd2d65678e4656fe4994577e20851fcb58db657e43956ed1d8f042f97b5c66ad2df129fd7bab91e1cd82abc0a30 |
C:\ProgramData\VQMsgMUg\KcQMIAgE.inf
| MD5 | 696d499c6516808f5e92a574c75ac70b |
| SHA1 | 44269217255cb06bd4e8d753af017b261e04450d |
| SHA256 | f8b179b269fb18b96039410605673a7c6fbffa3090c3d96abf8c0eca73035b06 |
| SHA512 | 5be04c9ea1ace2eadb6010a351617a8237f0dd9e699f099523d8fe548c8e4a3454a6716cc527b75136bfb8f4303266006bd80e553565132b1e6ff1823b31a9fa |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-29 10:35
Reported
2025-05-29 10:37
Platform
win11-20250502-en
Max time kernel
150s
Max time network
102s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (90) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\ProgramData\GWMUswwQ\dKggoIYI.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\ProgramData\GWMUswwQ\dKggoIYI.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\zkkswMkg.exe = "C:\\Users\\Admin\\yWYsIkgI\\zkkswMkg.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gWMMgUYM.exe = "C:\\ProgramData\\lKoQsgQU\\gWMMgUYM.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWwsUwcg.exe = "C:\\Users\\Admin\\sussEYcg\\wWwsUwcg.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKggoIYI.exe = "C:\\ProgramData\\GWMUswwQ\\dKggoIYI.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWwsUwcg.exe = "C:\\Users\\Admin\\sussEYcg\\wWwsUwcg.exe" | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKggoIYI.exe = "C:\\ProgramData\\GWMUswwQ\\dKggoIYI.exe" | C:\ProgramData\GWMUswwQ\dKggoIYI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWwsUwcg.exe = "C:\\Users\\Admin\\sussEYcg\\wWwsUwcg.exe" | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKggoIYI.exe = "C:\\ProgramData\\GWMUswwQ\\dKggoIYI.exe" | C:\ProgramData\GWMUswwQ\dKggoIYI.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\lKoQsgQU\gWMMgUYM.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\yWYsIkgI\zkkswMkg.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\yWYsIkgI\zkkswMkg.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\lKoQsgQU\gWMMgUYM.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
| N/A | N/A | C:\Users\Admin\sussEYcg\wWwsUwcg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe"
C:\Users\Admin\sussEYcg\wWwsUwcg.exe
"C:\Users\Admin\sussEYcg\wWwsUwcg.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\sussEYcg\wWwsUwcg.exe
C:\ProgramData\GWMUswwQ\dKggoIYI.exe
"C:\ProgramData\GWMUswwQ\dKggoIYI.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\GWMUswwQ\dKggoIYI.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naIYMIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Users\Admin\sussEYcg\wWwsUwcg.exe
C:\Users\Admin\sussEYcg\wWwsUwcg.exe
C:\ProgramData\GWMUswwQ\dKggoIYI.exe
C:\ProgramData\GWMUswwQ\dKggoIYI.exe
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCIgUEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agYAEIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKEgkwUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAMooEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIQAQAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwckUcwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYckYcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqUcogoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOQIkMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQMAwMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMEYMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoYEcUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faMQQEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyMIoMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LysckAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USYIEMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiQYUwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwEUEIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BakEcckM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSsMMwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMcsgAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOMEYcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyEsYwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgAkQwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKAcsYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqkYQgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEIswMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIEYcUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruAUsIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcMQUoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUkIUgUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOAckcIk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESkQEokY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAEYsgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuAwAwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jskkkQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqQgUkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWUgMYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOcQwsQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQAQkQQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGQQMkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKMAooQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsIUEIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyYwsUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymckQcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYUoEAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISIAssUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUkAAkks.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgUscEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAMUgQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIUsEggU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYcYAoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiEEcMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEkswIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOswYYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgUwUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsUcIoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOgUoIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOAogEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SskksMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAQgkIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awkkEEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEccwkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMcYQsEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jScEoUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQUgogoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOkYAAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcoYMcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGQsIkQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PogUsMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYMAUUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DawUAcok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgQkEIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aowgcgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCQEkMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okQkAMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmoIcgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqIkAkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCcEYwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmwkIEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tukgogkw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaEoQMYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUUsgMME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSgcAkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jekwMwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LScYEsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCkUIYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bukAcgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmcQIAoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcwkQAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqgIwYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saoMMAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQsgkcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAgEcEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGQowAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeIMgMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euwsggYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqkEoosk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYAgwIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUcgcYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCEkksck.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TogMQQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcsEIMIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYYoQMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeoUAkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkIAYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swMkYgss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kagYUYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKAEYIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQIYIowU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BooQQcQY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGMsUooc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEkwUscw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEQUIgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcMoMsgw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIgsoYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\yWYsIkgI\zkkswMkg.exe
"C:\Users\Admin\yWYsIkgI\zkkswMkg.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\yWYsIkgI\zkkswMkg.exe
C:\ProgramData\lKoQsgQU\gWMMgUYM.exe
"C:\ProgramData\lKoQsgQU\gWMMgUYM.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\lKoQsgQU\gWMMgUYM.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1500 -ip 1500
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCgEYUss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 3048
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\yWYsIkgI\zkkswMkg.exe
C:\Users\Admin\yWYsIkgI\zkkswMkg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4272 -ip 4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 236
C:\ProgramData\lKoQsgQU\gWMMgUYM.exe
C:\ProgramData\lKoQsgQU\gWMMgUYM.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 128 -ip 128
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 128 -s 200
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgwscUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSssgosM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcMoEoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEokYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMEssEso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEccoIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQEQUggU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuEUkUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsccYEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMkMsoYM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAcUcMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOoYcYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsAcYwoU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWUkoIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEwQEQco.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkUwIIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIIMkMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.102.100:80 | google.com | tcp |
| NL | 142.250.102.100:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| NL | 142.250.102.100:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| NL | 142.250.102.100:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/1884-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\sussEYcg\wWwsUwcg.exe
| MD5 | 5aced52e60422f0a0b1f20a90c196eee |
| SHA1 | eb4f77d78ba93190d774a215c1423ec98d132903 |
| SHA256 | 4c60f546e9992df072295d05dce10ac3de2c98128360136c1fc22ee1604e82d5 |
| SHA512 | 058c30fdd3ea34407c4a86bb6bfdec5e9ef7975bf5ea5933426eb16001812be3e3106321d7e01c290e802d26b8adf7c127ed2e37d297c3f4e1da56b73bf05f97 |
memory/1928-5-0x0000000000400000-0x0000000000433000-memory.dmp
C:\ProgramData\GWMUswwQ\dKggoIYI.exe
| MD5 | d2a9a678819019c7bf9b3083e059044b |
| SHA1 | 24e12349c35779bb88a0500f5c74d12d6c579658 |
| SHA256 | def091fbbfcfc34ada9f99c778db03f77f0e70e1f1bbdab2e220bbc1ee279fcd |
| SHA512 | aa21ef61c53bcf02e754cafefce551edf11c164d0ec4263558912b51d01122fd3a4c83b4ee50bb549758bb8538cd6f2b9451cbed0cf195ed733869406ba3e687 |
memory/1708-15-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1884-19-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5000-21-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4828-23-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\naIYMIsY.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\sussEYcg\wWwsUwcg.inf
| MD5 | 5369d9147be31024c4777ae4722f8576 |
| SHA1 | 7dbd39d379727762a4e839b2a60c6c94bece4b8b |
| SHA256 | fc8a0bee5ba29a391f9e3f7508839ce0f9a78cc6eecdd26568b0363f20572d07 |
| SHA512 | 8910fc9c0144a63ab0b2b50eed9ec97bf52cd775bd804c4d24c40b7c2df4ea6dc8105123e31c79cdac9f9abd3f6082fd64d75a1ec9f49213194e995dd807fdde |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\sussEYcg\wWwsUwcg.inf
| MD5 | 44308ec74e58ad0318ff4bdcf8e8bbd7 |
| SHA1 | d66dc5abf25928a09ec8dd48815571bf28db17bd |
| SHA256 | 8c92b5be28a0d55d10922adb4a8a3551b69359f796338e5c6f2d18f5acc3e455 |
| SHA512 | b143929505d20cb53298d7d8092ac0b823636141ea921329b4bc5e8bc4cd2d3446537d7855348599ceaa85f5b070f575747282863f084be95b7582a2056295a6 |
C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
| MD5 | 00974aab6b9832933e8ac609e50e5dce |
| SHA1 | 6fa57587c15d3de9c9ace6da93ab80830bd87771 |
| SHA256 | 7e9997f40d13b32c724ca4ecef283f377ce9965d31534167994e654d6e6623b6 |
| SHA512 | c104286c58629920fa51b5f764c409b87ce9cbff3ea33d634cfa5d7804294a345c5e4150780f84d85c8a7a0aea7d6089eb4f31494096a4c5e9982364f9ad2e47 |
memory/5012-46-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4644-59-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2092-70-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3160-81-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\sussEYcg\wWwsUwcg.inf
| MD5 | bc012153915aa73baae10cc4dd703292 |
| SHA1 | b9e801b3be5b13e3ddeb7c3a02614983988d3261 |
| SHA256 | 6aef5b081773aebf2d36e04920396407a444f1e39143e5ac695db258864b0e21 |
| SHA512 | 4868ab0d0a541c160e1f8c0640e75ad79bb84b899d3230d26f680cfaf1d96b5a9dbacf08551aff0727ef2cb4697a7c38578ed3bbdcf243e3f6651b303c2e204e |
memory/3024-98-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5796-111-0x0000000000400000-0x0000000000430000-memory.dmp
memory/6052-122-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5528-133-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\sussEYcg\wWwsUwcg.inf
| MD5 | 593a131a2cb9e716d8883e10821393b8 |
| SHA1 | 5af84f68831efcffb44a512da5a8e7cd0ddd0c40 |
| SHA256 | 6919cdc65034eb00b2f6f43fd04d921ad09b90c940681dc63c26c8c179bfad83 |
| SHA512 | b2fe3e3feb52091be8ded18f90b1d8ed05f9f930d2db95252d4ed1435aed05745d040ac6d6320d6ae6c2e46ccb754a3de766e8bb1f9001734fcdf2b9363006cc |
memory/4572-150-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5076-163-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2388-174-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4812-185-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2392-186-0x0000000000400000-0x0000000000430000-memory.dmp
C:\ProgramData\GWMUswwQ\dKggoIYI.inf
| MD5 | 38fc90b3613969475b51f658cb934e98 |
| SHA1 | 47f40563a73e59afd754fada07e0d696ebf3e4c6 |
| SHA256 | 8a96e36d1a3f20fe627faedf8197bfc61aeed2414478b37933899f47a6c3df90 |
| SHA512 | 5a179c6522495ba10a2e36f90300d9a59aa2fe753612a26cc6df43c767d6cc3189951fe358845570d036b29fa9ac9797fc5073b02474581ba8e0976eef9a97bf |
memory/2392-203-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3260-214-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5444-222-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1776-230-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5680-241-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4140-250-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3728-258-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2548-268-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4580-278-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3480-286-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3564-294-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3576-305-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5988-314-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1908-322-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4836-323-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4836-331-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3016-340-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4624-343-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3016-352-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3052-360-0x0000000000400000-0x0000000000430000-memory.dmp
memory/6140-370-0x0000000000400000-0x0000000000430000-memory.dmp
memory/240-380-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5732-388-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5560-396-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2084-407-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2344-416-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4376-424-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3280-432-0x0000000000400000-0x0000000000430000-memory.dmp
memory/768-443-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3052-452-0x0000000000400000-0x0000000000430000-memory.dmp
memory/6140-453-0x0000000000400000-0x0000000000430000-memory.dmp
memory/6140-461-0x0000000000400000-0x0000000000430000-memory.dmp
memory/668-471-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2988-481-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5940-489-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5512-490-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5512-498-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3012-509-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4376-518-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5564-526-0x0000000000400000-0x0000000000430000-memory.dmp
memory/768-534-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2444-546-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1976-554-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5324-562-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5160-573-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5940-582-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4296-590-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2088-598-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4448-609-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4700-618-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3052-619-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3052-627-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1564-637-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3032-647-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5732-655-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3140-663-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4300-672-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5248-683-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2096-684-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2360-692-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2096-693-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2360-701-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1008-703-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1008-714-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3040-722-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2380-730-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2272-740-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4044-750-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1172-758-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2288-766-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5384-775-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1928-774-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4436-779-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5384-789-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1708-785-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3896-797-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KQoA.exe
| MD5 | c16ca63ccd52cc3ab658035b3d4635a0 |
| SHA1 | 021978033adeea66af2d5cc721240a1ab47bffbb |
| SHA256 | 2844ac3a0cedf18316d8eb62b7d7a416991590fcb6b00f149513f29beed33752 |
| SHA512 | 044f348303bac376f6308a4b9a4d441bc958b5836d3135ed5a7963c1f0018f5b112a311a5c3aa7736bb538a349b928c307911c0df0d3dec7c3493c545ea82b09 |
memory/2728-822-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mosc.exe
| MD5 | 6c56ba9528318fc434affc0ed528c05c |
| SHA1 | c61969687fe5d51e5399c4a3edc305c26948e9c4 |
| SHA256 | e1e0680c922c7e12ffb86b41d10200dc279e836d3a24254a4a565c01db39929e |
| SHA512 | 3035e9ca31983c0eed310fbe972d51770bf763ed4e1efc28112ea1598191a6e9a4594c2ab1ecba8d89479515fb1529715c5cc42c77bd47053e58765d6dd0690b |
C:\Users\Admin\AppData\Local\Temp\YokY.exe
| MD5 | 5de0c22448548f03e03afb8615161048 |
| SHA1 | b8d5562bcc59480cdaeeeeffc818ad66b65eb184 |
| SHA256 | 902d070a22f0605795030e39f25a5276709cff2a1c7804dce9dc2c564c4415a1 |
| SHA512 | c987d548d3556c14d61628eadca906905d68cdf2c77b8aaf2d9e69da2ef280f12fd5db608774bfa55463797552fae89f48f668c5f64ac3d6029f8b832deb5b8a |
C:\Users\Admin\AppData\Local\Temp\csAy.ico
| MD5 | 9af98ac11e0ef05c4c1b9f50e0764888 |
| SHA1 | 0b15f3f188a4d2e6daec528802f291805fad3f58 |
| SHA256 | c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62 |
| SHA512 | 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1 |
C:\Users\Admin\AppData\Local\Temp\qIsW.exe
| MD5 | 2379ebac10cf64caea84f92cef82450c |
| SHA1 | 88d5603a664b7d293667edd95d211152f3f3e578 |
| SHA256 | dead31aa3571d7a297f7d8bcf5224a4faddcb7db3815ff7feee9ff1208a49de0 |
| SHA512 | 264140540e8df4f6cf93d55c313e198b4fd0c71f5d11380a11ce3e290e23a94d137b950b189dcaedceffd3a1cbd63b69a697e7d938e1223863841e260013313d |
C:\Users\Admin\AppData\Local\Temp\wAsq.exe
| MD5 | 04645cd1e89b84a924357fc89616d9c7 |
| SHA1 | 397030773605cafc524dfc135f0726bdf02ca33e |
| SHA256 | 460a344b51a6f4765606887fd0046c964e216172e1fbe36ef37a381415be7321 |
| SHA512 | 0701d5f9ef68383675487546d2b2507f9823d3701b99ff847e0ac4c33358137bdaaa9d4453cf559d756cdfd8cbe3e5595b841f73017cbe08e7005d651de8a9fe |
C:\Users\Admin\AppData\Local\Temp\mEsu.exe
| MD5 | 0c482e92026c381ea0b1af83b258d1af |
| SHA1 | e2f44706ece66d55450447ab08e2d1bc0bf4d18f |
| SHA256 | de2196133efb475413f634bbe143d36f99c5be333be482d80ebfefcffe42d6f7 |
| SHA512 | 474667ce2ee11355fed69930baf2f3879c4ff152d6980ebc4dbf649fb49d7b4a601776e0cd1f67bfc256d51f4c51194f7943a9558a91317274065cc6ff0c696e |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 5e6d3c517879e852055cd6165184bf9f |
| SHA1 | 1c5288780125b423e4a3223622102bb60d0e5b86 |
| SHA256 | 805c245d98a1e9eab86f07b80e8be647567512d628be89129475e7c2ed25d0f5 |
| SHA512 | 2b5d71e1db1f98275896148d6321ed301d312cce6a025614794e7e23b2f75825c6afd0bc3cab302d176440e2e7594e8b83b2faa8666c7df451a2638ea456aa94 |
C:\Users\Admin\AppData\Local\Temp\Mcsm.exe
| MD5 | 569f5eeb2dfa61c44e7231863347d703 |
| SHA1 | 48ef1001a819c687851f3bfc55c8ce158664f63f |
| SHA256 | 5b51a5844e4026f1ed72e9c9652fd6d48d0cb18ae19b5b85d5f893ac284e4358 |
| SHA512 | cf712322d48fe8d8b13319bf122ac33d81cf757fc11f6e16a9ed6259a5c858c38f8327b17194be66f255d8a34386a7a36d5368adcfc15995e51ef2c2a264bf0e |
C:\Users\Admin\AppData\Local\Temp\GMQq.exe
| MD5 | 5be15940d4f1fa48ab1263a48dc649bb |
| SHA1 | 9707d76ee7047bf2ea4ed6dc4aba009162c0e8fa |
| SHA256 | 31c5be420db61fef3a398edc96d0290cf5cdc106261c3551662c8e8f9d16b371 |
| SHA512 | 500945a43662a7e3be22aae8bdf0dc6e1c210b164fbbc096410e35e42918a4b10cf8697ca00941737a835fad1f8b5cbf5c19ceeefa358bc60d5c3cabfbbb09da |
C:\Users\Admin\AppData\Local\Temp\WIAE.exe
| MD5 | a2d49bc8e88ded6d22eef7f4a26306fa |
| SHA1 | 8194e3ff5796da5e61aa6e3d8cd621568d21a055 |
| SHA256 | 307539bd267210ecdac11d3d3fa92fbf1a5686f02540aed0dadcf728d5eb9f22 |
| SHA512 | c1e9ca9840e3de0bffa82d664a97d369c6f352c87f092b12686d0f175f104385a32c969ca95a76f29fc53f3532edae6c1eb0603f787bc8b0d6eb8e1857301d2e |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
| MD5 | d77906482e5bb46d2e6288f257e7fd3d |
| SHA1 | feda8e117e200f7804f8706bfd037f7fa91867df |
| SHA256 | 19287507d9e829bbe81b528cb557f2d6e031c6fdd5129277a02bd041e8bdfcc1 |
| SHA512 | 608002f17ee8805588d71b60c69fb7ee8b610ead2140c013183740e4fdd2a26462ac1265f02f8af3fe40cd631bd01cc70e0b6add74bc9c4318dd2db2ccbc2aeb |
C:\Users\Admin\AppData\Local\Temp\IwUW.exe
| MD5 | bc8ce0c9801e4b5221877ee6ce7d94e4 |
| SHA1 | 4f93d42813a2b9f2594ed7d9cef535b41e0b0ba8 |
| SHA256 | c8952f633f527817d1276a5a42407cae3396a54a2f65ea386e0fe725d202c765 |
| SHA512 | d7f56ed6b392c7cdb7757b7b8dd05f7e2ebbbba71f959b1454254b8f0ca191635fcb45ae1f1bd431d826f50bc792c2c7d6a4b78a92710f0aa5aaba0bcbe84ce8 |
C:\Users\Admin\AppData\Local\Temp\isAU.exe
| MD5 | 1e509a6e730508d482fcdb18b85d56fc |
| SHA1 | f9845fb8db796bc6affb96d4754f9cc0f56e1b33 |
| SHA256 | a153581cc531879d009dbe2c2e38da5fb3150269c074d1c59cb66de749865ec0 |
| SHA512 | 0cbf6ac083c6aef05ca7b0e712ef9f74a2bf7038cbf58d3a71616a26f453f41c6d14881d6e015153086c2f70b45df32259e125a7f6b682153a6eeb57e0c1738f |
C:\Users\Admin\AppData\Local\Temp\iIcW.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\AEQY.exe
| MD5 | 7ec059ddfa87d1f4f6ac2007154a2d61 |
| SHA1 | a802ddce9f351fed0a1fe30e0a5c5afc43899db7 |
| SHA256 | 57ffd64b836e88421b501cfa70a294550843e740f1dfdbd53aba9d93692d576d |
| SHA512 | c98a0b605ac0836ef355101af28e3a6d71e8d23a249ab7b1c58ce48e0bccaf64dc86983667ed826b2e4d8be094adad8eb732434fb60c6dca5d6384cc5f1a82d3 |
C:\ProgramData\Package Cache\{5625bb48-295c-4113-bc92-d6a69b19b04c}\windowsdesktop-runtime-8.0.15-win-x64.exe
| MD5 | 2d16848adcd87481d0cf8d58cde90fef |
| SHA1 | e732a7d858e3f6a89d7b2fb345c792d7cc2fca01 |
| SHA256 | ea81df4c5766ef37f370bd84a161d018cb973ec10d5efefaca82d4cdeda0ac86 |
| SHA512 | 1e2d66553882b93df4f00d09409fb7bf720f6aabc48671b8d3b5c0cb2e17b49a68f7f5a90cfa21d48d556d373a97ef471b7d51785bdf59b57dbaaa84e1edad48 |
C:\Users\Admin\AppData\Local\Temp\cQka.exe
| MD5 | 3fd4cc3726e2f4fcfd1f8a733b4afcf9 |
| SHA1 | 82aa348d2aa36c7d08d9ec805b2811cea7348482 |
| SHA256 | 80dbd890495af4b5b3195c41068eae0b9d93d96634a94b011fa12f929c636cfc |
| SHA512 | 09a366bc2d7de12fb1b1027a27bdb99a712b5045b8a0de6c44b88ad335478f315c2b708b6796a32a4f07313bf3ee444705a44eb238e6b1c70509c9991dcd3437 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 39e9cd3dc6eb368d031cf51de3a5bbd7 |
| SHA1 | 3aac936e1af163a2fcc9931deb7608d3cb9596ae |
| SHA256 | da502cbb3ca619b10d846970b358a41c73238cc0d61c9fc831d783a9cb0fa726 |
| SHA512 | 40a99492940086f7ceb2f6f35f1abf4288c0eddfb00b7acb06899dcbf9f4945f2421ee00e9c830a0bd0d1e7eb5965e27fe0ff8e01ca712f1c3293bffa1d6dab1 |
C:\Users\Admin\AppData\Local\Temp\Oogo.exe
| MD5 | 8a6eaf8e79fff2e340ea612fa4e165c4 |
| SHA1 | c7b9571da04fc03512fdae5cda135cfe9124b2cc |
| SHA256 | 707f42d97276ea033d8287109affc2ea2dba244a0e5be48e40871e453a6fbfea |
| SHA512 | a3285f08d8fadb5aa79f39c0b187f7ce07897d7aa6248cf19ef0189fa2f88df021ab9b32885d95a4823a38230778a5b887ca6fe3bca3cd5bf5585fb6d3930fec |
C:\Users\Admin\AppData\Local\Temp\QUYq.exe
| MD5 | 6342de7ca00cf853758ef3e78a86b69c |
| SHA1 | b7062102b3154ab3e8fd43c9782750029c45c68b |
| SHA256 | 87caaf6a1a5a5226948f6595048e0a98e1469bca148b741902c12a0e85abffbb |
| SHA512 | 41d1b5e3cbf8b84fce010502ea87ed2175eabc2863a4bfa355e8ab7628b6d34db67d621542bc08b3033515f85bedc1a39babee8f3119ec61525b9c04da20d015 |
C:\Users\Admin\AppData\Local\Temp\yUAi.exe
| MD5 | 591abe1fded416ec0d885af1968bb2ab |
| SHA1 | aaad181c4db5569c2ea72f317023377b552cc4c2 |
| SHA256 | 8e452ef334796c2aefe0a12f28aa13442d8ba2c58389e505d9953b47721d9651 |
| SHA512 | 9c6e5ac83d7f04e65159f4143e5a0a0af44f8357bf66e88cf31896a9772490610de24a0f54d0845ed5100a8f95a307be424aab6a57358ec60f44f84e0d2a1e59 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
| MD5 | be222ec3fa5668cf79b6286032cdd14c |
| SHA1 | 4a06650287ed6c266ed94a249939eb7692b85250 |
| SHA256 | d3ddd1e41ae1568c05e40adc3b586e96c29e537a094003c3efca9545f2cd7c08 |
| SHA512 | 2170996d4c0fe342b4106b6539564360fed2f4b67ba5f6eef3705f2ce5a2793a19a804236d6fa27147c1b4fbc4747173c85bd3b56bb0ef19789c8517cd1802ee |
C:\Users\Admin\AppData\Local\Temp\aUca.exe
| MD5 | 380a8df1a83970f33dd2c61a15472cea |
| SHA1 | 3c7a590feb432adcfbe151b3175a2685cb80ad6f |
| SHA256 | 4c0355d45e393c7f5a9a5de351339ebe26b1617b22e455026576e7d3afc53cbf |
| SHA512 | ad33412cc166d71eee6f37a860c426662bb02c0354606cdde3513c7ac1e7046a013082333a921ba9036ca42358c89b1f725836160efc94f12d4b9d96fe720973 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe
| MD5 | 3079e1940fa68e706a8e862b582bd968 |
| SHA1 | a26e2c150c30dc039dd8897f2c67f1396acbb42c |
| SHA256 | 4e9917877f5f57d0a85c45cf8092189573d7ca9d5bba304c4b5a98682e173697 |
| SHA512 | 36765076b8de4f3bf138d65c61d48d8b67bb485757bb356d7f1d39bd44a4834f7d652527301b62573eafe98ec3c385aa880a8db784be0e6aae57d1d2b44ccf7d |
C:\Users\Admin\AppData\Local\Temp\iwMW.exe
| MD5 | 48f0f61f31f59eb4263049a03382c4b1 |
| SHA1 | 7bf0f8a23d19c115d0e85c4cd6a77ccdd95cf392 |
| SHA256 | 715f7d4661f10b10b2474cbf7ab93d23a1ddc77338d3c014124574e6a96a5507 |
| SHA512 | 6eef8e5e41cc61a81b47ecba95bd5566a0dae545f58c72dc984e6edf24fa34075a8e1e945dcc7c5bf2aa1ac935538e128b055ad44d118d0b77d48d9348a4e620 |
C:\Users\Admin\AppData\Local\Temp\cQUO.exe
| MD5 | def6fe7b6051a77309b7595a23d0eb9b |
| SHA1 | 2992df7831fb4d168509f30d554fbbc58c9efcc0 |
| SHA256 | 81373e30f12876fcd940cf595d2fa6017afb0b14b67fec83e74eaceb33e560e6 |
| SHA512 | e17d833846552916eee6845a153b40676e37e0e66504495bd0fadac087cc7156e87349cd7e852f164f717ba855f603d23bb6d9155958df76b13c5205f23281f1 |
C:\Users\Admin\AppData\Local\Temp\EUka.exe
| MD5 | d566d9ff6aebe32cee253b0150193dcb |
| SHA1 | 73d12bab4efcbd3b3d974470974771a3088e4c83 |
| SHA256 | a82d79d23501711b36b13a122f24d66f624f1d54c2376433c63aa5c8ac1f154a |
| SHA512 | eaf90a3f6ec7be8788985abca453f93dc2cbf87a8ef4d0c7fe9ba1297563e03458e840c3c4528263a31f612fe736957498572db7327611edd1ddcd8656c98276 |
C:\Users\Admin\AppData\Local\Temp\EkMG.exe
| MD5 | 92af5ab737d00d2c4083992ac61c61c8 |
| SHA1 | f452b8ec18c0ecaa87e7d2c2dc9107f94164636a |
| SHA256 | 2e4d57e095433978ac5dfb97a3adde80567d69cb4e45769a0e2b3e483409173d |
| SHA512 | 582d6332ecffebcf58563e50a909e034785df1e182b4cd2a2df5e92b49a46678759877cbdf8bad7020c1f4d9f3b1b3a937bf7a89b43d27dc4fa5e400953d7a7d |
C:\Users\Admin\AppData\Local\Temp\EssK.exe
| MD5 | dfe8e9e06ac449be6893a0d71155ef86 |
| SHA1 | 8423fcd85793ff77d6e8c00220ee097f4a58aee3 |
| SHA256 | a90099bd8c84ed2da6b6c5d5d37cebd0f5f72406f9e4bf6beebdc8d9600f3340 |
| SHA512 | 687a3919df8ac2fcb6dbaa88d36fa25cc3864f283168001988333c8c00139a1a0a5f72aeeda797c8947b8d762f781e0843ca79d268e233ba7c0d2eb6c88cad3e |
C:\Users\Admin\AppData\Local\Temp\mQIe.exe
| MD5 | 9e8b52a5624ef92de4901ea390801402 |
| SHA1 | b0b20648c7caf5ec72497087dc76332f76acc5d2 |
| SHA256 | 11e24e4d4128c39874d6fa34db9c35ae536ea9d4f12e394304845bc634f214e7 |
| SHA512 | ead6256cb00ea5694cedc1464a8ed971b58bed3fb25ed3a57575c7c3c911fedc9e42e64babfc902c86994c782ded963b5d34f1199882c21737e792c0f67b58f9 |
C:\Users\Admin\AppData\Local\Temp\aUEC.exe
| MD5 | 79d276deae8f449167dea13daab22133 |
| SHA1 | 4d457b0935fce4778f95f51d221570407036a923 |
| SHA256 | d7e952581d500e402fa0e0c4686d31b6352d2eb3cbbe5449ca5abcc8d768a37c |
| SHA512 | 2b9ecea67810dd2ab8a1d2269426759bd64af975e33ca4bc370ae3fd13059fe11a53644f3a6266e29ac2aa00660e4446b497d7d80b4fdcd04755b39ae92a961d |
C:\Users\Admin\AppData\Local\Temp\ewEk.exe
| MD5 | a5b7bc743b6f191a469ae6f6715ffd1b |
| SHA1 | cc53fb17bca5abd8306f6ec9890f4f13f85adacb |
| SHA256 | 986d70cd7b5f5a7ea2ba8b6bd065608e59c0ce187d9b0ac6d04fe7a52a130390 |
| SHA512 | 7531962b607bfe758a165b33129088eccb16ea9cc18723337491a3820c52544ec1ac5ad9cab8ad996a24e4b5f7dfa045aea07ed47d90c249477690bbd7fccaad |
C:\Users\Admin\AppData\Local\Temp\EYEo.exe
| MD5 | fb05a78b3a3ccba856fec577772893a5 |
| SHA1 | c70c28416770c7e95520ea2df49370ecac25930b |
| SHA256 | 01b0bd3dc3eed159441d44f715c71fd8fd60c65fccfd722fbd207430af834b98 |
| SHA512 | 58286fdefcee02aab5ae55f3230d78d3c3b72771fe37079d54cee60609ed540e1fb188832ad60aa92c33b6eb096e8066e9463e3c0b280f73fffc0d6ffb09fb56 |
C:\Users\Admin\AppData\Local\Temp\Kooq.exe
| MD5 | 4237f342a274f65bd5099f322935e530 |
| SHA1 | 047e1ff24aa8bb3ea7538b307f083fcd22daad96 |
| SHA256 | c8793fd1e7f0d91fd69344c89af97ddc75ca12172a678676a7d2bc1ef5ed2867 |
| SHA512 | 1a450ad5fc18fe7758ecab8bf2031153e7fbc9f7ecf62ccc09639f7a768d96ac9b6a52b29eafff5dfedb6dd755cc0cea8dbe372124c983e1fa4aa55331e1c060 |
C:\Users\Admin\AppData\Local\Temp\cgEu.exe
| MD5 | 748a82885d543d768a7ff3918f2be2ef |
| SHA1 | 0b047690b6412ebc81c23d64c54cb186b31c2342 |
| SHA256 | 4420daebdb02ea1ae59a33c29cca1ad6dfffb67d66210175bca65c4ea9b36ace |
| SHA512 | 672ee8d446350d59660e8d7d308c612c1e515ecdab1466e6489149cc5be38a11e5bfc6142364b2b86c8501ab2d6b8949619ac2ba8e41f1f9502667fb4da5a637 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe
| MD5 | 42beb6071dfe3e6829936cfe300a73fa |
| SHA1 | 0a4a290089e913105f50a36aa3a21fe321a7b9aa |
| SHA256 | e7a39b52e2521004950861e903b39715f93b9d579f603db4c0f515d0582f359b |
| SHA512 | b16de1a65948c60cf701c3cbea4656b00f5a93665f1d4bf78b0c75ebc1da198b71a94401863f5ee52e0c6b1d297666927f52c474c50bd80e87f17c9e572bd456 |
C:\Users\Admin\AppData\Local\Temp\qQEg.exe
| MD5 | 3ffe84c6d45172e42ee18116948a6386 |
| SHA1 | 5e29236e73e6f59ed8baaae95ecaf70e41f716b5 |
| SHA256 | 1d6c1f6c5d4d900a4124b0e26174c1389e9df50990e13d4295ba2c20ad0ff897 |
| SHA512 | 9dbb531f7a0be9eea414dd45b4bc1043dd6cc8bf1f2b058e090ae110ce07e677b1477a2844aa00e779da051f378efa313c5fcc72260e630a8ed3f240049b9e73 |
C:\Users\Admin\AppData\Local\Temp\eEAm.exe
| MD5 | 51a84f3ac149e39ccf97ced11dd6630a |
| SHA1 | 627f6f835ef33561cfd8d7e6d7cbec9a3f3b0894 |
| SHA256 | edc53b24f26def833fe6aaf7f03882e5569bebdd729ee2e404601000933a6d35 |
| SHA512 | a74404e3419670dcd6b3b280724f0750b73fc37e8b07cca1fa2b7292bc3fa9c1d560407e53d4c2585368070735bad7acdaa4e888a7372f1475ebca06527369af |
C:\Users\Admin\AppData\Local\Temp\KIwy.exe
| MD5 | 149e616a453419f184754a93de0011c9 |
| SHA1 | afbeaac045da384a706da20b2e97eca848a714fa |
| SHA256 | edeab0ebb1232a873a5ef3c6d4cd9c045f985839a1a4a351a2ad22b0bb5e65aa |
| SHA512 | 28a07c0ed4f2890b0cf028bae02d92a95b806244cb71c0a17180200d8ebb947d7503ff2948d446ea02243f3a7113758b5030e5b3a639cfe4f563e993c9dc2887 |
C:\Users\Admin\AppData\Local\Temp\uwgk.exe
| MD5 | 616fe0ea1ef62130c461d6e715a18fe9 |
| SHA1 | 49f1b73ad4f44932805262fcd934398aab46288d |
| SHA256 | a8b8a210a4bf58f1da16be9f605dd1f752ea65ef0878f545e072f429f456bc0f |
| SHA512 | 9c386784e2a1874c2114c527d8dd1d2b532be277d8db7d17bc3d3d2e892b2282f322cc902c6235490cc699ebedc4faa5f3355b983dd1faf6b6ee52b7f270e7bc |
C:\Users\Admin\AppData\Local\Temp\SocS.exe
| MD5 | 249c3dc9a953378ed73a5932592e4768 |
| SHA1 | c317f2df888103483cc33895096077aa8b5ffbdc |
| SHA256 | 929edb1782f34f19373a8d37da6a7d494cd1855e9ce4685931b9e759979eeaec |
| SHA512 | bb33549c90e951a7dd58cc0b3ee7eacd357b5546f6fcce46b3415d8a9aaa91efd8a437ded1f53c021182b6eb93807bee16f32d83823b84707f685836f86c54fb |
C:\Users\Admin\AppData\Local\Temp\OMQS.exe
| MD5 | 548295e372b50dc16167a45933b5125f |
| SHA1 | e69dafabd22e467294adb2c0f9dab5b576655637 |
| SHA256 | 314aa7c4765425b7c704585246366549959fd0173dbdc3acc076cf8a6a4bd6ea |
| SHA512 | 7dec0a936f56f6a6c9d77244289c10939b3bab4b9b12ea2cda59a564503bcc99999190ac3757e9f77a64551bcc80b938a880106cfeb87e107b44d212bc00348b |
C:\Users\Admin\AppData\Local\Temp\OgMc.exe
| MD5 | bdda10cb20a54fcaf9657e5f50d3f511 |
| SHA1 | 4b5ace06ff45a05ae873e069eca7aa041feb94c0 |
| SHA256 | 916f8d630c43b960904e9eea6f09762c4558f67e0106f30a90d4badb032a8f6d |
| SHA512 | cfac133754395fe3419cdea4317da4e57c72111f8fec8d47a6c6a146d4573d1629ca5585020bc189d1e3893712447dc6a429264f46f7ec74e5a8407c452559f4 |
C:\Users\Admin\AppData\Local\Temp\gIUA.exe
| MD5 | 9da70adbf25b961c6487f1db52333fac |
| SHA1 | 776a08df21bb666acf2e0dda59dfbbc0297a7cea |
| SHA256 | 0b5c28ce66d72dafa559efeac96f47d1847d366a361fa71bf8ca93c483c38484 |
| SHA512 | 191656fd8d7ee4d4ec8330b4bba0bedac07c59ad838d7c8b368ea9e7a3613baa6e363f182192604dc8b8e440bb2c07c1d15ee9173bdd7efa50346a26af2e6d2b |
C:\Users\Admin\AppData\Local\Temp\EwoW.exe
| MD5 | 72a7ce7eaae2b62d3cfd24a2ddc9996c |
| SHA1 | b17345a833c725a4d3d640acaee6951924ec453f |
| SHA256 | 55dd45233c043ec9b89d486983dfc232407d58e145cb7520071ba787fe3d4c50 |
| SHA512 | 5ce0957ab3d3bc23cdaa5aefb1849663b1beaff30bf10168adcd479abc694398aa88e539ec4d9ce1b9a5871f981e216d588ea7e6aa1c32e0a91335406ab44f30 |
C:\Users\Admin\AppData\Local\Temp\icom.exe
| MD5 | 6edb996380064d25245c83e551fbc298 |
| SHA1 | 471d4e647bad108bc2fa15b24f3b90e61e4bb094 |
| SHA256 | 3b55080f93f63c1b4fd1150b49cb228495cd4fdc8b904df4fb961e2cf564afa0 |
| SHA512 | 495f7f470e5e12dee1c9ca37b4bfb92b83c0fe00d079cc736d62dd0b6ce18b9de2bfa65684e213d2309950d13829b2c4c20946edcd58cc004298c42e18ab3060 |
C:\Users\Admin\AppData\Local\Temp\SMoq.exe
| MD5 | e8f24d789bba32283b05c178d7424ee1 |
| SHA1 | ae38d41ed529fdde31764e0ef2a05a1c1aac68b3 |
| SHA256 | 3e4db5f2b2a2756725f09ea04cc2b240d0ccc917ff733e15347c2ff6edd3f35e |
| SHA512 | 08dccef391c1c793416ccba97ff3275a53264b11a831b5df50571845000788d8b6fd54ad98a1e26af20787023d18cda099e9e31b3cad81ad459a15bed3c21678 |
C:\Users\Admin\AppData\Local\Temp\qMgY.exe
| MD5 | 94d04daab9c8f166c96ea91fc3235459 |
| SHA1 | 2583baf7ca8b6fe8fdb7d035b6fd4b2893e70205 |
| SHA256 | 7156258d68e9c019cfb5f8db0776a904ee89592f024ae18568944ab05781a74a |
| SHA512 | 8361adc600c6c0a5c1d722b35c4516f4a2bb43775f17d649b63a405a666b80ae0188724edccf3cc1b412153b43a23d321f9f0226ac95d68f6462b6bccfba88a6 |
C:\Users\Admin\AppData\Local\Temp\cYkS.exe
| MD5 | f371e4963faf2499f757a096c63f1037 |
| SHA1 | e022f92a666110e91534eb22b24a76429ef771e6 |
| SHA256 | d972a328dca216fe4578fb7be35ac3ffe6785556a4866817a56afa6d83cb3bdf |
| SHA512 | c52e4d0f5e6c0ab5238437d12e96dba47ab5922a5f1542d9103d49c56160b8663654f27d03d2ecb2473d2cbcf0eb09b4e0b27ff34d407ce43d57b837565f1543 |
C:\Users\Admin\AppData\Local\Temp\Swsi.exe
| MD5 | 9a861c7fb2bbe68fa71327ed9a3b4533 |
| SHA1 | 0c8f81f03936a0dbf8406a0e24f29121cddabd9f |
| SHA256 | 01370125021024b53a7394479e92512aa27c4d6c8f10f071a9796553809a31df |
| SHA512 | aac2092a147a09a3f33c72184598ac533fdb992f13eb659defc3343a60bbb57ebab16f9caa2f8d7004936026720e2a68d2dbe75607aaa6ba1959dbd58940cedd |
C:\Users\Admin\AppData\Local\Temp\MEAu.exe
| MD5 | dd585941cda9ce3d8ae2863cd33fa51b |
| SHA1 | 41c55dbd6bd70b4131fb0a115dc1e892f518e336 |
| SHA256 | 29e5190df86f76e1807746d811af96af52a5a338e463f4600d3fac9b0a51d011 |
| SHA512 | 2f32b2a748b4863caa54f6e1d536e889683c813df10048626f836763eee789ed1c7c8a6b03944e25b57fa9216f94d8b48d7c2ba1413e67e5f409c807f34729d5 |
C:\Users\Admin\AppData\Local\Temp\Qssc.exe
| MD5 | b6ee3105c4b8caed657809b0dffa4cba |
| SHA1 | fdb2dd50b4a84f14a3b0f85321c6c1626fc6692c |
| SHA256 | a4004fbedbd3b65f4f13b5f16a8a566b5282b916d33024f80ec4deea000e068c |
| SHA512 | a08657669e808da6b14840f4a360698c36347c56f483e9c185e1f6e682408dcabe26a37b8f42ea1105ab7553f73850aad794f00c7e826917b18429c631cb8d35 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\256.png.exe
| MD5 | 5f60bedbe7d16ba122852f06468d87ec |
| SHA1 | 9008022bd623107ac6ff1f0d4d92216e3da9c476 |
| SHA256 | 290171e8eab099929a0d300087cbb7c30180e7c742bd90ec0f198e9d37228ecf |
| SHA512 | f103477b5d7d75cb2f3ec9e5218b50e430a8f3070f5b72b46afe880d01f0a6385fedf760db80e963dbc99decfe62f16dc256da4f58986aa4ac3cdaa731092e8b |
C:\Users\Admin\AppData\Local\Temp\uIcm.exe
| MD5 | 9e44999993729a91b99853d19a53f551 |
| SHA1 | bd170e2e65567b9c65f593ab5c63ec902b6bfc94 |
| SHA256 | 530cbcd6fc239bf9661625ad251ceb119156fed581d766f70ac69f86749e670d |
| SHA512 | c67c9f6e5f4d1ee114d0a5f44e662ce7867659960384d886be108e0829930e1ed0101d2f44465ad7b832970ac49032a2f92c43c577d7c7371d08bc80c1932559 |
C:\Users\Admin\AppData\Local\Temp\moAo.exe
| MD5 | ff0cc3fb2c6281869c7bfa552034d520 |
| SHA1 | f06750c9ac86c7e3ebb25e8cca81775a18c3f805 |
| SHA256 | 343bffd7c5a483df2705cd4b0fb0f61fe4a9f25d0a1e758a3eb6ae2b16ae6ed9 |
| SHA512 | be94a5f1e9feaaf03872fa28c193c27532cc14df2eda5b298eb79fdfb13eab1e36418fa609a8fca94b2f24d0bc1e2b2447f6b01a07110ae02a64786a8ca55e93 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\96.png.exe
| MD5 | 192a60deacef4feb955dd0403c8b8aa0 |
| SHA1 | f72d281234164407c3d071d61c42b123038fae32 |
| SHA256 | 0e3c5b141d833dae5744d7184fb06f4f2f4a9c2021d997de07753fbb1c43af77 |
| SHA512 | 37130970de519d026aabf0a03417015cfcca144a2528fb2e3c622c6484c13bfd52988c77850a28c4cf7d066338df788b3778024e217fe1ae68bf4070beef104a |
C:\Users\Admin\AppData\Local\Temp\AUsW.exe
| MD5 | 19a9321ebca4846299494bb542282017 |
| SHA1 | 977de7aa5c6e1167abd970fc9bf04a00d22776f7 |
| SHA256 | b969898f8aaaddc4ba066cabcf4fdfa1d448e121a1e61790e17f7c4c328d20eb |
| SHA512 | a9a1dfb76ecf66c13495e83da13b10651f3269e589193048332e93e0092e842b266cc371c730c138a7e441ec91e9ad03635901307cd5f25137e3cd18c99ea990 |
C:\Users\Admin\AppData\Local\Temp\sUoy.exe
| MD5 | e2560c1e89ab42c8350f05f70bf0ed20 |
| SHA1 | f22dd593d330d223bb345090a98ce029ddf64759 |
| SHA256 | 5a98e2efb4e0f3782cbe9adb9a34d6ecd661bb905992a7055e3487f70dadabf4 |
| SHA512 | 7b35b84cf0f4d8299f192b799492d00c6fa2a4519668e3983cd08b372c4bc0ea5df48389a8653889249edffe906b20994a273a8e49ed13687dcb308fd3d7aa8a |
C:\Users\Admin\AppData\Local\Temp\IAYG.exe
| MD5 | b41c9eb6725ed875b95849d62306f177 |
| SHA1 | 4b8d46e324c070089cf9c79f157b9c74cbd417a3 |
| SHA256 | 5302065cbb4b0c02096086c700cfe07d94a993008e5a6561fdcb63a3eaab008d |
| SHA512 | ceaae5d770cf04886f82ebc192cc317dde4e593b87c890d0b216737ec158d9e0c02cb55f0bc4ab0a9927f877fdf98288706b953e05ba6753a61600e575a58930 |
C:\Users\Admin\AppData\Local\Temp\ekUi.exe
| MD5 | 13571c32d9ecd8132797c652d397bb04 |
| SHA1 | 337dbcffc0f7133703ab75af2b923f70f69921e7 |
| SHA256 | 0770512626bcc00a332e9847bebec8095a4f6c5d21f4aefd57b2f5b6e7e980d0 |
| SHA512 | b4208af87e70e47a9916b7d244af21dcee92620358f6e3b8232cfc80d91d6bc4c7da3421d55d0a724da968794a028f64bfbfbebb6feddf36f89bc2ad7ba3f375 |
C:\Users\Admin\AppData\Local\Temp\IsIG.exe
| MD5 | 0086102efec7af22e1a8872eb2dd5166 |
| SHA1 | 7acd2948a4cd563ca8da9b20ba2ecaf4b8042d59 |
| SHA256 | 0fc6d2898ee4fdc379ebbbe86b41b0a5565bc617fe5a4be3d11fd56b72ae3614 |
| SHA512 | f9e31a689c7e4c627a29313c44a4cdb2ca311933e87e653744638f962dcace4a8ddc8ce2b57bc31239f6c62a84e71dabea5b4bf10e55ee2b3666656eb7b1c77d |
C:\Users\Admin\AppData\Local\Temp\EMwQ.exe
| MD5 | b762fd1c3a9b163da5560980e2d75aec |
| SHA1 | 39d62ceb7ada6cc131a2a3de3b6fb4165af0ac22 |
| SHA256 | bfb83391e791ab24630584f2d2c6820e13422517889f47d75f186a4cf078aa69 |
| SHA512 | 9ee1f7552fb4fc38ec320886608f1a1dbe9cb9e66b4e718474a6fb5818d58e9e78cb325f734fb46389998deaf6d3c1aa4551787d11cefb21005b9b6500964ee3 |
C:\Users\Admin\AppData\Local\Temp\sYIS.exe
| MD5 | 0fd5d7b8534c3e32c461e8101a0c9bc2 |
| SHA1 | ebf3abd3897f44e939c354caea10c92921f3ed44 |
| SHA256 | 996e688f872383a4ba48016c39714d21f751bbf911930bc069a659d4488f264a |
| SHA512 | 5415f462131abca4a127e15c386299e5fff6b5b19140aa0f17c52ecdd6865edbf02f595ed58cb2ab53132d135d1f2c18a5e8c69fe88054a78883918bf8a0a590 |
C:\Users\Admin\AppData\Local\Temp\YEkG.exe
| MD5 | e3b37798378db17acc72b664895589e9 |
| SHA1 | e1aa4b968681c6f94fba5d9e7a455e72358f31a7 |
| SHA256 | ed65b8d554e7655a742ef6518fa550cf3aded20d327f2616b3ba05b016945f8e |
| SHA512 | 31c9def699fdd9d54b4fa3277e1379ce3300e53fdc8cfc44f9d11c912d46e329a538d3a5a0e4f88d8d449e2f99570e11684db88905b75baf881df4f9370c433e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
| MD5 | 9333229c898d928b142ae5376328ae45 |
| SHA1 | 1efd2ccdb6f17c51376da664ff080691dda97065 |
| SHA256 | 8b8b38d5b481a34e994fdfa159186d28cc2d490d0407e34759a9fc824a2add6b |
| SHA512 | 1f4ebfbaaa87de37879424fc721779d9ba491226fe2ea3e07cb96fad7ee03d389baedfd054e506c8deb6c0776035acd4ee02349db2c082c52ef06252a6fed1e2 |
C:\Users\Admin\AppData\Local\Temp\kQYc.exe
| MD5 | 7a5e3aaa4d7adbbed02a7f989e11b702 |
| SHA1 | 05531b1d1e7c02fd9c3e11e94a4637f9d83faeae |
| SHA256 | 3aaf94e1a1d25560e1966328c16809b53c663d99c0064500695db20e11be925d |
| SHA512 | a5ad2e519caf38caca2ee1b55ed6a4f38a8dc1d727310d2ad19b4acf10cbf65bf1ab09245311eab67016433dfb23923d5ab859fc62c799fd1a0c3394ba4dcb80 |
C:\Users\Admin\AppData\Local\Temp\qsQA.exe
| MD5 | bdbbcf0ad87eb20ad4e57d63406d20a0 |
| SHA1 | ff230c1386b1e189e5d97f352e70174f22fe615f |
| SHA256 | 19be6aa2cffa77e22fca7a8259de5a6ad96abaf3465aa3d57ef79748a1dfc7b3 |
| SHA512 | fa78f381d5d33f737ecddb295ae4efb39211ae5bb886c20da2512e3a64f0728d4a7600fbe32b7777b3a148449ebf8d3545f9e8408781a8363d463a0c1dbc79e4 |
C:\Users\Admin\AppData\Local\Temp\IQAw.exe
| MD5 | 83b70769b351c6e8815804f3c7624245 |
| SHA1 | 95b3c6a8eb7229622dab4640222afb861dfd4999 |
| SHA256 | 20a867197e6d68a62da486720344ff62c829b9b3a04dbe0096dee8219f01728a |
| SHA512 | 2337b8b44ba1cc3e85c75aeec56758529bc0f24dbb3729c9828a749b586550e662a0d288c6a247249ff0a431115bc04d446d8ef09b133e74361bf686ada59047 |
C:\Users\Admin\AppData\Local\Temp\okEA.exe
| MD5 | 8ab0ff99f04bdcb312fa5cda5cbf967f |
| SHA1 | de9a135a9154146cbc4c41b51173656d3c654851 |
| SHA256 | e43db5d6d2762440824637a4e708f1ff5f61425cab25c9dfa84637f3cf1b3d0e |
| SHA512 | fccd191fdf08c99dfa6ba7f827ec74c14ff25ba2f54ad5dfa3bb1ca1a58d5f748a65b099cd8dd4f36c505a295cf7320cb481a88de628c969bc1db8a67075336e |
C:\Users\Admin\AppData\Local\Temp\sYoa.exe
| MD5 | 88444a39b4e2a18ad9cc9fe9c5c54d74 |
| SHA1 | 0e103992f91291415b5c3d2e61ca8d44e7adcde6 |
| SHA256 | c9e7ba77b9d1f945b76b2ba632cf896b02030b05540226be5842e1a216ee3192 |
| SHA512 | 98c8e389e7b307100daf4ea47b511ce45228a589671cc345d041f141e80ad7c3d6a4c543024fddf4d4f02f2e07edc86e35826ea243722de3c97505b23b5ebe79 |
C:\Users\Admin\AppData\Local\Temp\yQMG.exe
| MD5 | 7a18e3e9b9ae46d4bf1bc47538d925e6 |
| SHA1 | a70d8582d20bb6e49196cd14b9e693ccf78d8f4e |
| SHA256 | 8ba8bb079c2448a1e2cc6ff931a30ed6256e61f78e4c746841793deceae39af1 |
| SHA512 | 7c3c53062c8c0001c4d6efe8f2884fe1cd4506ad29c3126342f240d9cc5a344570b013b054968a4c34c03274d4a8163621aaa7407f6a49a0e3ed638e3ea67ea4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe
| MD5 | f31e90986f1395543a58a2146ca32d2d |
| SHA1 | 27b8cadd860470b5e682fe2f34652d3d3a998e02 |
| SHA256 | 6c8b574a8b2d988b46e3d868bc4f612339491ff905e3e1240fd67df9b919a998 |
| SHA512 | f6aa51db9aac58155568579a914bcc5a31a1f5930555a5254212fc0eb6e8cad66cfe988476cef5ed35ceb30229783f8e4be5fddb7ef79e186bf351b683ae0352 |
C:\Users\Admin\AppData\Local\Temp\GQkY.exe
| MD5 | 2cfc3af1873bdd8928ac98d34d77c7c6 |
| SHA1 | 112b1a48b4c0d78cb0e3858210278aa1b904adc5 |
| SHA256 | 3408b4093f1e798536d5e7e174d9c1bc91e3ae8c6c07edf210bbc95b4942af51 |
| SHA512 | dc7a18734c7cd940e0835ccbfccc6dc1a9b004a7859b22ce49d157094c66cc715ca276777ee75a91102aba5c5e89fcef43fbaa1d792ee5431b93b0e68156c3a5 |
C:\Users\Admin\AppData\Local\Temp\MIEi.exe
| MD5 | 73f26d952b9ab6786b2e9dc55cc8ac76 |
| SHA1 | 0d9f47b7d979987b8914cd112ffd5d89e89c1590 |
| SHA256 | f98c578e82eb42371ce6fb1ce066778ca66ac7047e1616e17b8f199cbb38fcf8 |
| SHA512 | ad84236b42d802ff42b855cd735df6eedcc08aa0b886836a57543b6a2c86d598f829ae6563c2072b7eac515ec5caec377a6e46bddc62812ce3af09b24936aac8 |
C:\Users\Admin\AppData\Local\Temp\ogcu.exe
| MD5 | f43d05aa9948df9ee80ed918b69c73f1 |
| SHA1 | 2c5cf713b6b034d6aba520f8ae5d0f710455db27 |
| SHA256 | 9fec6b4a714f44ceefb9f824713c73d2ab15bc81899489d8996f56e30f657ebc |
| SHA512 | cc80546f3214f4422a80678ea0cd25afe8acfeff19e796feec4205904cb5518cc2ad81db4332708410dba7af20db174b9e630a6519b2e5d8390c7196e4dd48bc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe
| MD5 | 93fd950852d52a49f5ec33394c22caa5 |
| SHA1 | e848905ec2b98076d35ae468f5c4876207612790 |
| SHA256 | e49b8209aaf4cab64b2d5ab24b960f011bb255647154a48d739711b134786f9e |
| SHA512 | ec7a9c9f35ea21b06c1be1fb2dd0352716d3ffaf6164b2684bc5b15cef73ea1de130e72a02714e63b2ec83b826102d68dc58fe5d13cc90d4a191638695095aa5 |
C:\Users\Admin\AppData\Local\Temp\WAAK.exe
| MD5 | 1f7b349a74c393c5f00d86a4af1f70b2 |
| SHA1 | 3c11b7f5f8decf344600814712a4b63866d3dfbb |
| SHA256 | 6770233d27c02fac2a5d9186109fabe6f12487c3ca47a448eb7118e2610da34b |
| SHA512 | e1029b7e036076d05c22bc0af38266fe4dd56441df3486c30f649a9fed184dfa7aa59701ffe87d14d8e5502007bdd1e62c22875c3848c543ac3da080b70b7e6c |
C:\Users\Admin\AppData\Local\Temp\GgUE.exe
| MD5 | cf4659974b5088550dfcb9a47e311b1c |
| SHA1 | 130228a1f34e9131bc341d0802be2eea6635c3e5 |
| SHA256 | 3da7e5d9de5f6ed4926c24dace361154f4aedce1652308e6bbefb1ede88e0450 |
| SHA512 | 89dc8022429ecf200204c1babdc0ab29324817bed29ebd58a03340b8b88707fff5c09b32e472beca2bcbfa98b7971623411663b3fb67c95f114db60a69807620 |
C:\Users\Admin\AppData\Local\Temp\IgsO.exe
| MD5 | 1e2892e796ad502db2c93399bd9fab9b |
| SHA1 | b8edc63c0c02543440c067069ff296b865caa67d |
| SHA256 | 52890401e6ca66ca7080527c77f3cb946c3309db7b3f4cc76a5c311a280f55b1 |
| SHA512 | a23a104fc501051f296017352463bdb4e728511e1ff5202bef25fed4b072bfa0bc5d64c8c79dc421680d6cf26f210124ecc2da4474c86551fe2a5f9214522258 |
C:\Users\Admin\AppData\Local\Temp\IYEE.exe
| MD5 | f5268fa4a646defadaadeb40780ff072 |
| SHA1 | 5ac2463ade95c155751cad638d56019382db67cd |
| SHA256 | 41d0644db81606dc770c799854f5a40a87fb645e6f9fd05bea0da2592c4b3039 |
| SHA512 | b01c0d15b711e0bef79b6d19a89665a074bde5a2943f0748d2694aa746e8869d00c10d80c8b68fc840644ca5cfe293db6a11308b29062784a69092c17c8790f8 |
C:\Users\Admin\AppData\Local\Temp\WIQM.exe
| MD5 | 7bad3c905bc91cfc4fd86c62033c042d |
| SHA1 | 6f7579f74b27410d38240aa371e9cbbd1bc2f7c2 |
| SHA256 | 97a003fbaebb0fb5c7aa3fe8017a5052852c1436a57079c4f5f61f42c80529b8 |
| SHA512 | f8ea11f85ffd24d8f3f22ccf5a743cb3bb825d48df1b4205f54e308f6884776f2fc509bfa5125193277265a6cee228a7114be00d49fc20939456852e4fa2b249 |
C:\Users\Admin\AppData\Local\Temp\MsYU.exe
| MD5 | 54da8926d42b6f1a82bba007ea451afc |
| SHA1 | b37a12f10dc54c1a06e8d4c3eb38ee8119d7c915 |
| SHA256 | f4fc1ef0bb7c49869d73d702d4b58917ab00ff4e14a517dcdbd4eaccf324d435 |
| SHA512 | 9da0a4f4412f26a169dd4e808f74079114947d036a6225d1628684288f6335117a18be45d23c7af79892b376a8f4a458beae9fbe0ff179a9b522475e88f30a85 |
C:\Users\Admin\AppData\Local\Temp\Gcce.exe
| MD5 | 118c6494db7e047ad378bca7ccd74c64 |
| SHA1 | 64ebfa49980d21c0d557d7a967879830b3828633 |
| SHA256 | 7bec4883b55becdb594729262e2688e1930d3009e619e567c747874eaef6f9f0 |
| SHA512 | 906b190a6b156fce7b466a6c259528dd7b63685383ee49bb126ca0c7d9c0a966fc17527624380f5573872d735d0413da208060ea559065806e461eed965f1017 |
C:\Users\Admin\AppData\Local\Temp\YYcW.exe
| MD5 | de30a13e729deeb0d1db8d434a22df91 |
| SHA1 | 890963a3ecc8215f6c02b453c7192fde3e78edf4 |
| SHA256 | 20d9027b0092946603aa2998aba3d2c727cad64c67218a23c89e697eaf9a9b75 |
| SHA512 | 68b4cadc8cd31c94e891cc9ab711f704e2e5138bd5bbf3c6417814c310e233aad3c7ec22858d1e77d8b111a6db738a39de7b3decc735d96bb982362655b0994b |
C:\Users\Admin\AppData\Local\Temp\Ekwq.exe
| MD5 | c39de52b1674da18e43e6caab4ec514e |
| SHA1 | f2f8802291534f461b3353c69bf557c71f0a5c1e |
| SHA256 | d89f9d5a8f36d6b986d5a026e077d60aae68ddc02e9949389d58ea2bd5564cd3 |
| SHA512 | 236f44a30b57532cebf482446aa49494b2c63e7adfe49663de0ec4c3caa633723c576aa214db75abfd6034e9fcbde47ecbfda2274a1781671494aa3ced0a9a91 |
C:\Users\Admin\AppData\Local\Temp\KEsO.exe
| MD5 | 585a2ecf95ebc07c3c91e0d8bc51168b |
| SHA1 | 6b61a7cfa2932ab1a2fef63f84ebc96ad30ca33f |
| SHA256 | 7d45c0deb227b7ea50ded0f4ebd0b169ceed7a7871233bfd6fe99df68aa9de00 |
| SHA512 | 905dfb73145ace8136ff5d94430811b000696d75f528fe7b3b13540d546cc3d642455db3f957015835cb4fa5f443f270554c881d3af65803c3cf4e21bedc8d39 |
C:\Users\Admin\AppData\Local\Temp\MMQG.exe
| MD5 | 7a6fee955413531377c0d4b198f632f0 |
| SHA1 | 65b9c6ae9fcf2d410ce269016a9f6e62ca65d510 |
| SHA256 | ced759f80cf7123180def9bc8d75a93a6c1050f3c77d7879a323c906ae582de8 |
| SHA512 | fdaddc0f825314e1594cd7a5d66f2dfe682d4f2c9317902e305084ade0e727f36a8685d44b96a83431313fb0517b223d11758861acee0ed824fa1eceac1ddd72 |
C:\Users\Admin\AppData\Local\Temp\ooMA.exe
| MD5 | 306d4665875d811fd530f77a7aa240d3 |
| SHA1 | ed9799625f642e07d42ef730ffc8af1b20a29786 |
| SHA256 | 6ce25726defdd9d6710b6aca3e364d049ec5aafd98cbbaf3c49c198dcad43914 |
| SHA512 | 8f1a4c0f7c042e8cf07d76407eca6a1002a3faac334d3ae91570bdeb8e7bafa4ccb9aaaecddc983f75d654c97fdb9693ac7639339aea41b23a18cc3fe3c8128d |
C:\Users\Admin\AppData\Local\Temp\iYMq.exe
| MD5 | 777a5e9e7d0877d59e1d8fb5da544c32 |
| SHA1 | 805d995d0aaa406c9bdc7620a5c17358f2032401 |
| SHA256 | 547853082ba5f37974b11284b52783dcf5f764c999ac78412e088c7452845bfe |
| SHA512 | 839e8b246408fd3ada03db5326348aa0768b646fa3d29a678accfbdfd83cb5869fa418ef31d43fb08da7ecdd2a48b1976e7a0bbb5dd7e603603719e7645e930d |
C:\Users\Admin\AppData\Local\Temp\CQMu.exe
| MD5 | d22049986062afbd6541c62222d91caa |
| SHA1 | 9c87e788d7981c003093ff6cc28a186868310a02 |
| SHA256 | f9e04850d3728edd756b028df77261aa8edf111ab7b892633c1490f2c607242f |
| SHA512 | 3cd884d274ab88939c565be42be7a0e0c62eaf3bd68b62eac112804a1c5d0495e375ce8afc1f0d315c92f6eb5ffbcc4821c950965fadc265ec11776330754dab |
C:\Users\Admin\AppData\Roaming\StepTest.mpg.exe
| MD5 | 5c25473d4c390d80da3a4ef8c28bfd1d |
| SHA1 | 8b22c28f0ac244a3a1e3824ec496235195cb6abb |
| SHA256 | 10098f17e821583527041da6b12b91bb0ac58312279088a53cc00a12693e9cb8 |
| SHA512 | 01086d24ea5d13ca18163c58706c6cef9cb5a77ff36c46826d3e09409d4467d1a13315e1f79e17afb0a0ee260be919d0eb9dfd81538c67c6ba54a9a3d6bc15bf |
C:\Users\Admin\AppData\Local\Temp\cQMC.exe
| MD5 | 9260740830660f22017bc2208b2aad1f |
| SHA1 | 44a26836eab50a395b24219d902525824e8250d1 |
| SHA256 | beb2ab021e23ff6b2b39dee50f6fe5111c10c9c629e4d6f0f97bb6f6bf363772 |
| SHA512 | d0b879f2fe13c08d9aaabca163babfa0173737068523a78009e2947474f1c024da90955a9ac33b11405fd47b40872c62c3d8ddc997557486b0ef0c6750f3ce51 |
C:\Users\Admin\AppData\Local\Temp\aQkg.exe
| MD5 | cb4d9f70802bb577b046cad6f6c0e1e2 |
| SHA1 | 7147f931dcb7044ec102369343e808be3d30f8fc |
| SHA256 | 825b1d8a14533d76b7dab3a5f1596c4f24314042de4804d9ecd07319888ca94f |
| SHA512 | ccddc4610b7aa606671adaaf716f63bdfb840b1534d9fac1717ed31c8b769d6ad23a604944c7867da9c27c2ff3dced1212498d12b5bf000352aabb4919440101 |
C:\Users\Admin\AppData\Local\Temp\ikIo.exe
| MD5 | 46d2cbe4706d277c946ced463a14c4d3 |
| SHA1 | d0bb040c215eeee6f0b893f20098d433ad157c31 |
| SHA256 | e962c3a4efc5f0e5590c2b23a9d5705d28765d5a725af72f66de458fd7a40366 |
| SHA512 | da755fa41af5169cbb3860a992e12b485f13dbc5f63250d5978d8def17a12ccafbf25286026565e287a8d3a0d52a7d9f2ed8ca2bfcc180a2ea3e288820389128 |
C:\Users\Admin\AppData\Local\Temp\QMEW.exe
| MD5 | 81892595c7acf92b802f459a6499d9af |
| SHA1 | cdc92519e070f8b7b1191243ffaecd0527fb3c6a |
| SHA256 | d92753dffc5dbb028f8b92202ed72c7edcaf8157e88092d14cffe15374ae872e |
| SHA512 | 6c4990e74f1a1f630b0c4044d809499f374f8b3f347f05bc287a867b738a128ec64731b736b52d791f913a25c3eb382fdb0c88ee7ffb1d8e19fa99fcb76c948d |
C:\Users\Admin\AppData\Local\Temp\WUsI.exe
| MD5 | adb74246217c7506f186754539fe782a |
| SHA1 | 971e8ee66860da32dcca4f51d8b96bf531414f85 |
| SHA256 | 1d00ac45bf3789c0e2efc6ebd7376cad33bc3af87683e873ae44dad478afe881 |
| SHA512 | a5498796b1e4c5217c943e6935bd7643644a70f9459de8272c0c0aed7259504c7af64eaa4151bf1449c0e5560bd1bb92d7fa8660f42aaf40fd32999ac79e961a |
C:\Users\Admin\AppData\Local\Temp\OcEM.exe
| MD5 | d6cdedd09bf8a7bcb49ac9b426bed2b7 |
| SHA1 | ec905295f49c4957518c5f7d0d085b141cf30bd2 |
| SHA256 | 2158fb4915b8efaf85d1d0ed4953dc12288b10a0dd0a5dc96df509c78338a0b5 |
| SHA512 | b9435ce22bbfd370a40d1183a9b7e34d7220335ab76998085e8cd9cf6b04a4151e12716235f0c296b8762e8df48b2440c0345d092f8a5e1fa7a4a17e60c0921a |
C:\Users\Admin\AppData\Local\Temp\wQgC.exe
| MD5 | d3274d1bfe5da06435e7ae38a4987674 |
| SHA1 | 5b233e247f90e6729078f6d72e4c24102124e5a8 |
| SHA256 | ff98470bd7615c04194f2daed445720601cd8dc84c8c3a0542a7287c99e8579d |
| SHA512 | fa9b72a965d1616e5f6f735e9556f84e60521065f4d8e2e3860f9a7d0f6b837cbbcbaca7d54f47ab1d978584b62bd724fa20812cbb58110af2e8a263bc9e44a2 |
C:\Users\Admin\AppData\Local\Temp\agUu.exe
| MD5 | b1827264342a90e9b26e26a2a8087dbc |
| SHA1 | 36e42a0d4b013e9c70dfa592e2414fd5dd3b8b03 |
| SHA256 | db973baf2faa37953a516621fd238ca3587d9537bb290f83fb90c78fa9241b4f |
| SHA512 | 5b1e7fce60948060e7de5f22c9ddf6fc39059ddc5dd06d8d1523a1b4120826f3254dcde32a236d84f6463a533ff93095c2bffe6d7bcd1e1dcab005d5d547adff |
C:\Users\Admin\AppData\Local\Temp\KQYQ.exe
| MD5 | 8211aa31026a4623b805ca9b925cf86f |
| SHA1 | 350c21201e21addfc85f2ee7b079d493fd464750 |
| SHA256 | 0c3a449a136a082be71445ac980132d5e67a7c2c8a5d54b1a0035374cf23fabb |
| SHA512 | 8a1cad23bed179a5338c631afc1725cd5d28172cc8cb1a2c5fc928a033ad4864e49323ff69d738601ce0ba6b495223a557df4154cc13482a6e7076945e2970d8 |
C:\Users\Admin\AppData\Local\Temp\ukgy.exe
| MD5 | 2f2565334e81c132989fe551ebe86d11 |
| SHA1 | 642b64729434db12fc63bac6af5a144e647f235d |
| SHA256 | e037c989af6e964372a0bc4aea9bdb6e332ed897dca7ad1d5560d2f95669bcd7 |
| SHA512 | d1ccc2bc0cdd92fe02fc8505527af80b28726ec2d4d6ade3ddfed1252b814907792d5a5a6307c6da31759f6f7273fbd06354bdbbb25b7e4b939f8d7ca9ce0424 |
C:\Users\Admin\AppData\Local\Temp\OcEc.exe
| MD5 | 9a19381109985f85ab849072c4a0ee02 |
| SHA1 | 2c0d29cab9ad6b5325533ddf2bce8210902ab415 |
| SHA256 | 263d1755d47baddf33daa178fe4c3eb5430d24f32c47b2ccd08f42e714457bce |
| SHA512 | bc3fe2032e152a4d7af0e6847c75281102df39956389c4ec1de1fbc7e6b29a221c2de83f7b05cface1c1e195313a34427972b58d92823595e1b7c4559ecbd8e0 |
C:\Users\Admin\AppData\Local\Temp\EkEC.exe
| MD5 | 8842730a59da4fa3c1188f045d53160b |
| SHA1 | e243c2a5917b3d9ea7c2cadbde0f05652f84e043 |
| SHA256 | 010dff7ea7a0a78daad9c76243f7137ad57d10bea708a914e123df3770124d5f |
| SHA512 | 5881cba173a658bc5a3ec25ea065fba85bfb45d9163cefa62b6d0b735e171bfb29b59e3e4bc74ef46f97a6a04528309b457c3069ce593ec8761e1cdc45c02a67 |
C:\Users\Admin\AppData\Local\Temp\aski.exe
| MD5 | 61dd85ed659480b43fcb42f1e8cdcd85 |
| SHA1 | a31d822ea7c908e83e37d20f845ace0cf13457ee |
| SHA256 | 5f24260e749f4a20a557a322b36deae70b9bd2b26ee2380d63ed44e25577a2fc |
| SHA512 | 335805b1370ddaa73d6a9c04fa53aadd458949f5fad17c410283a3187db9c9faeaf6a5895ab50e081e1eec5ffa321a49c6f75235a0f0b16902d2607bbae39358 |
C:\Users\Admin\AppData\Local\Temp\kwkq.ico
| MD5 | 34460862c89281546603585eba87f992 |
| SHA1 | c00e6558b839be12b54316e87116042454cccbd2 |
| SHA256 | bcb253ea3735a0cf0a8c6ee06c14c884937c64ddeacedb17240e40d403577620 |
| SHA512 | b21fbe3ba5b0a15dfe6d5797dd72fdfed7798748b1acc8846251ff1f58e164380a0bb2ff40a110f2b86fc6ba76abbb8cbe7a148eff697ef39a5dc4d1448bfe67 |
C:\Users\Admin\AppData\Local\Temp\ksIA.exe
| MD5 | 947c5f921fe8b46c1a71b8fe48aa11ae |
| SHA1 | e7223799050ccdb5f08640bc057e41ca680df337 |
| SHA256 | af1cb66a1494cf8dabb6c5b6114687dddf4dddc92b9dce4e0e47f51f36e2da71 |
| SHA512 | c651205dda27b3d7aaff3d17a9ad1ebcc0984240583d240226c4f6e9b79ee7fe8d69bfdbddc399eca761d2032e698342c7aab16285252ef58f93f3c87f8f021c |
C:\Users\Admin\AppData\Local\Temp\Scgg.exe
| MD5 | 6d8cd07cfedd6597385f8963bb2e933c |
| SHA1 | f17c975b63c5eed1bdb9477bc0121b6a28b165cb |
| SHA256 | 9dfdaf437a4723401f9f221e537b32e819e78be7111390991ac30c46f5ed9d83 |
| SHA512 | b4ed0efca94ddd654445db3849009731c35696974d7567a8dbb18ddf632ec24e42655f26ef1e71f3b14782c0540f42d8afa2578746116bef295679d70ac5cd3b |
C:\Users\Admin\AppData\Local\Temp\GwsO.exe
| MD5 | 0a48a2f8b2bc251a9ae3cee596596a12 |
| SHA1 | 6c9d55d15ff46e63913fe97c9a75f4c745e90d2a |
| SHA256 | d718d2c8a10fa11000cf1b92137b9d2fe1ccdc59540e5308135185cfc3d77119 |
| SHA512 | 686d8bd98e5ef1dbb93611eec03593cd33fb6f89eba10abdf414daa6071a31473e9dab69eb0467401ddd8eb15bc0a514731e4511afda3eac17bd7a8d4e73320e |
C:\Users\Admin\AppData\Local\Temp\ecQw.exe
| MD5 | fc7eecce26eb448c2150a9880acbcd04 |
| SHA1 | c87af207e9168db883961fd6ac69fd569b392c1c |
| SHA256 | ff897654cbe685f8dd99173e769f915b763e230643d222be2fd3e4460d31f4df |
| SHA512 | 3f009539de6d92b149852e825a4735b292d275b71ec1d91f5de25433a98414a03595fb1b9770eee8b204cd32d18b4b4096f9c831ab9f3276b26f22afc08b133d |
C:\Users\Admin\AppData\Local\Temp\cQYy.exe
| MD5 | 905234b2f2e6995becd128e159a30432 |
| SHA1 | 221b5f45d421b50da82dedfbf9c056e03cbb7da5 |
| SHA256 | b11580dc914c64125b0285ae46e34457c6aa868671b04dc9b515fe30157534c9 |
| SHA512 | 5293852ac0c699fea7a1346ad544710f1605ad1c628964c1aded4baba1ccf2054d7c268ab9abd770b8a3b69e333ab280c2f8cc34e06734d3fd50a6bf81e254c5 |
C:\Users\Admin\AppData\Local\Temp\AQQM.exe
| MD5 | 746fb4fa967a5690b69d6e565f7a7cbc |
| SHA1 | 9c08aee88283f9c7e70208dc756682c132191b1c |
| SHA256 | c16893cb0884c44b80f69f20fb91af67d5f75299c79fa069c70a6e5117800c62 |
| SHA512 | 0289124e7119b4d889a707dfba7cc24fc13d96c72e023579796461954d176e9b71638e6e14a64c98885696c25d7b99c45158806f207eee6c1f29b300c44f43a4 |
C:\Users\Admin\AppData\Local\Temp\Ewcu.exe
| MD5 | 083c5cda8c57f00c50d36d30ee498274 |
| SHA1 | 284ab487ed2e41324c5d549f62c8d6609f7d2c31 |
| SHA256 | c77a91ad43a80bc629e9f4e3684ec7263b108fbe245d719dbb0b82f80c4e0225 |
| SHA512 | a7813e94a1aa73b42cb437d1c97f8894078c795e25081bb7cdb55d2c6089efbe2e8765f2892356a783df552b679fbbac0175f152f78004153ef49a192ecb8c69 |
C:\Users\Admin\AppData\Local\Temp\GwYA.exe
| MD5 | 4c36c63708358b32cc237db1e59c2e45 |
| SHA1 | 96882389ec9a55c4d8ed0564b0659b1c40b243cf |
| SHA256 | 772df3e4ea5c5f53e62a3f42f4f13b575a5c3c7ae26047ee1f011ce5e73946fd |
| SHA512 | 6b16eb878e66eb5e16fa38bd61f494c132d3c88f4453155468282fcfcf4a634581ae6eaafc1be1e066dfdb871899c69048194c076dff608579b65e216c853ea1 |
C:\Users\Admin\AppData\Local\Temp\mMkQ.exe
| MD5 | 3cb4839a7641beba50482f1fdaa08991 |
| SHA1 | acb19655717ee2d9c90260eacdc1c55a4c4f129f |
| SHA256 | 468d82b3781f60038acce007bc3330c751ee483d3d74b87746ea6a51440f3586 |
| SHA512 | 14fb95bb64681ecf4e225f2e02c344a381b525de0c73843875cbbf0edc3f4e396502a3833e7592e03ba50d68add24724356b4f019e041eb9d08fcee8f2ddf22e |
C:\Users\Admin\AppData\Local\Temp\scoa.exe
| MD5 | 09b82c788cfaff9d0b6dfd323e06dff2 |
| SHA1 | 319884b1aa9478c0c72379b69041c48bd8c28872 |
| SHA256 | c26e3fa1bd7116da7e38968d4209894e63adfd4266b086bd50f20301b88c08d1 |
| SHA512 | 56a6683524efdd0ea5a6e6cdadb305a0b3ed5c95dc4e470f72b9f1ef00e72cb3957f75d5050fb15ca3a79c49ebce70ed81bb2f4435916d797a8d96a100939baf |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 5170946cc530b9f1ccb4623c30bc5abb |
| SHA1 | 5b65156617d31a5f6a38170b687463e22506d42c |
| SHA256 | c30d74ba1f8f3eb78de45d83c84c19d5c92271b99eb9fa5b67faf96bc4658e3d |
| SHA512 | a275734175bcdd19b45cf1e57049f50de6dd7a38022cd4d9b08b62aaaeb15ce9997575a0f94310631cccb4787ae0c978866ba38abe51cb44dc5f74fd277f4281 |
C:\ProgramData\GWMUswwQ\dKggoIYI.inf
| MD5 | d74b4f3787a1f9382ebf5fdf9bb17880 |
| SHA1 | 430963398c558fc5e669edf0b83b67713c21271c |
| SHA256 | a5af2fdf8d0470146cd36259c037f8699590eb813cd1875d62a1208dc7d52a7a |
| SHA512 | d2bf0c0d32a4f9b4f961153f30a7bb007d000438937f2fd8c6fcd5409979bc6d6372d96c2cd297ccdcb145173a84790cfb0e7a12a7fa06e5f7ab3df28f8243a9 |