Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-mmnpna1jw2
Target 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock
SHA256 4e570261798b1f8ea4b1793efd7f4b0fb5a109a99a1dd2bc2dd5859e46df4968
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e570261798b1f8ea4b1793efd7f4b0fb5a109a99a1dd2bc2dd5859e46df4968

Threat Level: Known bad

The file 2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (90) files with added filename extension

Renames multiple (89) files with added filename extension

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:35

Reported

2025-05-29 10:37

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (89) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe N/A
N/A N/A C:\ProgramData\VQMsgMUg\KcQMIAgE.exe N/A
N/A N/A C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe N/A
N/A N/A C:\ProgramData\VQMsgMUg\KcQMIAgE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggkkIEYQ.exe = "C:\\Users\\Admin\\NaAwwUEE\\ggkkIEYQ.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KcQMIAgE.exe = "C:\\ProgramData\\VQMsgMUg\\KcQMIAgE.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggkkIEYQ.exe = "C:\\Users\\Admin\\NaAwwUEE\\ggkkIEYQ.exe" C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KcQMIAgE.exe = "C:\\ProgramData\\VQMsgMUg\\KcQMIAgE.exe" C:\ProgramData\VQMsgMUg\KcQMIAgE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggkkIEYQ.exe = "C:\\Users\\Admin\\NaAwwUEE\\ggkkIEYQ.exe" C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KcQMIAgE.exe = "C:\\ProgramData\\VQMsgMUg\\KcQMIAgE.exe" C:\ProgramData\VQMsgMUg\KcQMIAgE.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\VQMsgMUg\KcQMIAgE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
PID 4680 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
PID 4680 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
PID 4680 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
PID 4680 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
PID 4680 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
PID 4680 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4680 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 3648 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 3648 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 5048 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
PID 5048 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
PID 5048 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe
PID 4428 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4428 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4428 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1356 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
PID 1356 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
PID 1356 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\ProgramData\VQMsgMUg\KcQMIAgE.exe
PID 3576 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 4304 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 4304 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 3576 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3576 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3576 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3576 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3576 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3576 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3576 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3576 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3576 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3576 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4396 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4396 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2260 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 2480 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 2480 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 2260 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2260 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2260 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2260 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe"

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe

"C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe

C:\ProgramData\VQMsgMUg\KcQMIAgE.exe

"C:\ProgramData\VQMsgMUg\KcQMIAgE.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\VQMsgMUg\KcQMIAgE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYMoUEQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\ProgramData\VQMsgMUg\KcQMIAgE.exe

C:\ProgramData\VQMsgMUg\KcQMIAgE.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaAMoMkI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIssEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUEgggkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEAsgYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgcQkMMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByUMokkc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOIkIcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWkUwMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQcAQQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCIgoAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMAgIgos.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAUwoIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGgskgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIwsoAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsQccIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoUcMIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeAYgwws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwsIoYMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwsEUMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEsYUMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYQAsMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuokIwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCIsggYo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQwIckII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYgUYUwo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgQUkwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIssMcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAQckUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icEcUUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCUIUkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgokIkow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoIgEIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOgkwwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUAgcYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmkwMYow.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYkIMUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmAsQEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BowYowgE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGwEcsQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIYMAIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkkYkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UisEcIYM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScUosEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEcsssAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcwocgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmcQkIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOUwgksw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyEIUAII.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMEgAwkg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAEwUUws.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zosgAgAU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUkoMAYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgMsUkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eowQsoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIEgcYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGogIMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUsAswUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaMIcQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwwwYIEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuksowwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyUkYkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOocwgEo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WakcUIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuskMscY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqUQYoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYogssgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zigcQUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKAgwAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgUcMgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEQswokg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsAoccMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqskAcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAoswMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUsYIwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoggQooM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCYAEAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQEkkgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEMcgUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcwcwgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsQwEcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQUEQwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMYksMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqsMIkME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUwkgsMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkUMAkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQEwEsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQQIEYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UioIokAU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwoAQMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACoccMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkcoUkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGUkkYgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWcEYkQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIsggUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGscoYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUwMIMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIgggwAU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aekIAUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqMAEQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\necEIwYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUwUUYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIIIwUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsAAMUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uukoUIUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMIcIAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LusgkUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcYwwIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMAAMwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaUgUYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esAYoUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYoQkwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwoEoUog.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYUsscwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMEEUYkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEMgIkUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqIoYscg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwcIkQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUskksUo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYsIcUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWgUMQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaAcokgo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQMAQEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqAMYQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
NL 142.250.102.100:80 google.com tcp
NL 142.250.102.100:80 google.com tcp
BO 200.87.164.69:9999 tcp
NL 142.250.102.100:80 google.com tcp
BO 200.87.164.69:9999 tcp
NL 142.250.102.100:80 google.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

memory/4680-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\ProgramData\VQMsgMUg\KcQMIAgE.exe

MD5 63807c2516613f8b04586749ce29a45f
SHA1 cdca842015a8d3e89886bd76cfda94fcc8d86c75
SHA256 0c21900eb65585b3ee2a75ca6f4b6c0d42dedf3a27e27d5852d345f43cd395be
SHA512 9732606c91fb47f966f55269e9337e9f524bdc53631915a2bfe710eb517c93df5ad61dc494cb93a36da2b5530a114793e40324b20f0bc060f59c885c15e765e1

memory/3372-14-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.exe

MD5 712d434ccc3a071783f8b515a550c85a
SHA1 79ad6c716bc6fefb707ccc5d4088891fb215d278
SHA256 817ddc88260957a0cb0b149e064c19e324817d29d381515724998b5bec08ae87
SHA512 73ef006bfdc329d4a59b92c24084ed6500503107df94aae45abf1294e211e5b02bfdbf1e0cddd17a2f011dd2e255d458cbfff04f5c311bf81e0e2de2a862600f

memory/2880-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4680-19-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3576-21-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dYMoUEQw.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2096-26-0x0000000000400000-0x000000000042E000-memory.dmp

memory/764-28-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

MD5 00974aab6b9832933e8ac609e50e5dce
SHA1 6fa57587c15d3de9c9ace6da93ab80830bd87771
SHA256 7e9997f40d13b32c724ca4ecef283f377ce9965d31534167994e654d6e6623b6
SHA512 c104286c58629920fa51b5f764c409b87ce9cbff3ea33d634cfa5d7804294a345c5e4150780f84d85c8a7a0aea7d6089eb4f31494096a4c5e9982364f9ad2e47

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf

MD5 5369d9147be31024c4777ae4722f8576
SHA1 7dbd39d379727762a4e839b2a60c6c94bece4b8b
SHA256 fc8a0bee5ba29a391f9e3f7508839ce0f9a78cc6eecdd26568b0363f20572d07
SHA512 8910fc9c0144a63ab0b2b50eed9ec97bf52cd775bd804c4d24c40b7c2df4ea6dc8105123e31c79cdac9f9abd3f6082fd64d75a1ec9f49213194e995dd807fdde

memory/3576-39-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2260-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2236-63-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4392-75-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5084-79-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf

MD5 44308ec74e58ad0318ff4bdcf8e8bbd7
SHA1 d66dc5abf25928a09ec8dd48815571bf28db17bd
SHA256 8c92b5be28a0d55d10922adb4a8a3551b69359f796338e5c6f2d18f5acc3e455
SHA512 b143929505d20cb53298d7d8092ac0b823636141ea921329b4bc5e8bc4cd2d3446537d7855348599ceaa85f5b070f575747282863f084be95b7582a2056295a6

memory/4392-94-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1984-102-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4952-106-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1984-116-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3792-130-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3260-143-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf

MD5 bc012153915aa73baae10cc4dd703292
SHA1 b9e801b3be5b13e3ddeb7c3a02614983988d3261
SHA256 6aef5b081773aebf2d36e04920396407a444f1e39143e5ac695db258864b0e21
SHA512 4868ab0d0a541c160e1f8c0640e75ad79bb84b899d3230d26f680cfaf1d96b5a9dbacf08551aff0727ef2cb4697a7c38578ed3bbdcf243e3f6651b303c2e204e

memory/1856-155-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5068-159-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1856-170-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1640-180-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3552-184-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf

MD5 593a131a2cb9e716d8883e10821393b8
SHA1 5af84f68831efcffb44a512da5a8e7cd0ddd0c40
SHA256 6919cdc65034eb00b2f6f43fd04d921ad09b90c940681dc63c26c8c179bfad83
SHA512 b2fe3e3feb52091be8ded18f90b1d8ed05f9f930d2db95252d4ed1435aed05745d040ac6d6320d6ae6c2e46ccb754a3de766e8bb1f9001734fcdf2b9363006cc

memory/1640-199-0x0000000000400000-0x0000000000430000-memory.dmp

memory/448-212-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2136-222-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1732-232-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1056-240-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1880-250-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2064-258-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4940-266-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4904-277-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3012-286-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4756-294-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1580-304-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4356-313-0x0000000000400000-0x0000000000430000-memory.dmp

memory/216-322-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4084-330-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2236-339-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4952-348-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3636-358-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3568-366-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3880-375-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1188-386-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4692-394-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3552-396-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3552-405-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2188-406-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2188-416-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3908-424-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4136-434-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1580-443-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2064-449-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4112-453-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2064-461-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1640-470-0x0000000000400000-0x0000000000430000-memory.dmp

memory/216-480-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3592-489-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3616-497-0x0000000000400000-0x0000000000430000-memory.dmp

memory/556-499-0x0000000000400000-0x0000000000430000-memory.dmp

memory/556-508-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4744-518-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1104-526-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2148-536-0x0000000000400000-0x0000000000430000-memory.dmp

memory/540-538-0x0000000000400000-0x0000000000430000-memory.dmp

memory/540-547-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1248-549-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1248-556-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4608-561-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1392-566-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4608-575-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1972-585-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5020-593-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3092-601-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2456-612-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4396-621-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2900-629-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1456-639-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4800-640-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4800-650-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3052-658-0x0000000000400000-0x0000000000430000-memory.dmp

memory/876-668-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2828-678-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4328-687-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5044-686-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4328-695-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4612-705-0x0000000000400000-0x0000000000430000-memory.dmp

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 71d9171e32f4722b58d096ad0a45fec7
SHA1 670b3d0dc76cb8fd88306f3fb29026420f7f66fe
SHA256 f884ff87a8ec515df2251a8b89d3c2f4ac84c367543c762473e08d6b2c3d96ea
SHA512 d7198b6de2a8a0c896588b09f81b0ac13d32a1224adc0015eb30df27ea7dfbf8deaf89825917dc16e27bd2657bfda0a045cb2a557e35e3cf39fb615776a10c08

memory/1484-716-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3092-724-0x0000000000400000-0x0000000000430000-memory.dmp

memory/700-734-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3456-743-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3508-749-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3260-753-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3508-761-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5040-763-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5040-772-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IgwS.exe

MD5 9160c958d17158462cb87b6ee7562eda
SHA1 46d0a6906590764a8127a6b81a081b1f6206c190
SHA256 8927077e878ffa6fd919accf87468d0e190d54412638f068cd7e06f3800cc7de
SHA512 4fdba2e8f0ea554b25e0fe8ce217b174a3474fe49674fa97b4dbb1c275a8f380af396c0a124986d8bd4592249f88602330d3a93e370b8ad0cbab99d5d3ef7f87

C:\Users\Admin\AppData\Local\Temp\MoAI.exe

MD5 ad5301b097f15e14889016228da1e253
SHA1 8f4e08679292fd8ffd2ab0d8a28f594e6dbe570c
SHA256 3f644a8c13aaca0fe94d504c7fcf34efec93441b91f309f0b590ed4dc1615c4a
SHA512 21b827bf63e884c2daec945092d3d6f408b1f0dcb2d2b7ab665497a51f863c249b6c90b4842f7edf28ff80ff7254dd18354b3480039598dbcde285dcba842f64

C:\Users\Admin\AppData\Local\Temp\cgUK.exe

MD5 0c9bc01f4ac06026d7d63ee8921d69d6
SHA1 d01728a681a293bae4edd0ba2cce560a019d3fc7
SHA256 40944ce138f2460541d68b69ab551694a99ca5c2357d66ec9a92af8dd0434358
SHA512 0e5600ebae554806c6d461b0c032157a5a5cedab8b46b1231d0454c23fe403b4224711e2d596f248828a306afc245ef49d55b8dbb840e0186940e4de57f31b06

C:\Users\Admin\AppData\Local\Temp\wUUA.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\SAoU.exe

MD5 94adac8552c435d00c547da03a71db0d
SHA1 35ff140052b46b1d55148d7847513ea4e52f6deb
SHA256 75e042b20c4074a01f68b6e42522e8fd05bbe3ae3812544a1f8fc79539c23e8c
SHA512 e7f8ff329524a451f8688e94f6c3b346f3ff18aabb528c00e9ab55a9ed1c0c5533ed49d2c0649ca9fa23aa89133bd8fd8d4dbdb7f0c1a2fab6ec5e645247f5f1

C:\Users\Admin\AppData\Local\Temp\mgAC.exe

MD5 9807e5656b93baaeb87bc96c7267a3d4
SHA1 12441148a4b909d3613eae415d372d71c66ca0bb
SHA256 02c7502056227bf85736bcf5446c894f4ce70fb322e81da8036aa67dfbce5a09
SHA512 b099ac6e508b72126a78884d0947781d967a36bae69b2b04d5f5925e241155420ff3f69843903574a149676e2a284577164b25a65fc0fa095897dc908face5fc

C:\Users\Admin\AppData\Local\Temp\cMAk.exe

MD5 d23e01df5a820ae9768691bf38157a83
SHA1 e3055dddc1e0696fec73d55c0e93b2f9b8fe97e3
SHA256 59e539d237902063f28925cd0a0436918de7f030767ccc022359c5c8a8afca9e
SHA512 0aa59eb038abe99153aa01ddb8d64d735dfc8d398b3f0331f82876a11e7f4db236a48a7e60d8f6d3860cb5c9d8fe6af1779b37e618373d34f988723afe568ea1

C:\Users\Admin\AppData\Local\Temp\mssy.exe

MD5 63b3ea5fad178c35fee2caa3ac1eead2
SHA1 794cb17e9ea8013ffd1be2a807787f325771ddd5
SHA256 5aca07392ab474d36fb33db9d1b795de2d55a076b7b2af81856da1fe28d744b1
SHA512 3eb9bcba885b264b116e21c2a81a1c678b2a583f20a0a23ab890dbef79e5bd10ebb608b799c9d20e69db4d0e3b1d12c2e588065ffeb47ade30ef50de70a11fea

C:\Users\Admin\AppData\Local\Temp\YYwK.exe

MD5 ba0c0ba2a467015228a7fd68c32b2781
SHA1 b1c3049debfe1dfc290df50d3da7990b25c4275d
SHA256 2ab97a1652f734b357a188ce7cb3b5de422663b3670c48a3e594f2a29b321bf4
SHA512 ff1a7f5ea50e6982883ec2971335f816ed66dc0f36f51f12a97a435f7bbcdc471c2e394fcc217fcefb062b930b1d587367f304a1d15ea2b99aceadcef268ee45

C:\Users\Admin\AppData\Local\Temp\uYYg.exe

MD5 f448656358312760267ba5073292857d
SHA1 a9e5dd070ff34211efed63d70fd6972d2dbed89d
SHA256 88c4dd07afed69ce68f1c0d916482f639f03769c286acf3493bec42a7b521921
SHA512 b359116131ff4b55648d21f0adeef101ab80f1738b5d2b1e7b866da24922dbbeb4bc16f93da985c3cd43979630d984572ceddaa728a3e48cdd8954f027fe359b

C:\Users\Admin\AppData\Local\Temp\AEAk.exe

MD5 800b4124ef87f0d0d6bcfad29b982502
SHA1 c425214a9b31c75d690312588c083a1e35dc8bcc
SHA256 7031465b079a494a32f9ab24aab147f4c7d174c83aeeaadf5e1a1fd37e05e3d2
SHA512 1f140f8bae3b667a8cc53c41dbe5463a902d8f987f9bf18ff3bfe25fcf8015824e1648918b20b713b0543891b0cbce1bd2596cfa4fb34f853118224fb05ded2b

C:\Users\Admin\AppData\Local\Temp\QokO.exe

MD5 2f5d7954a314cb4bea47d1813a46ba61
SHA1 4ae77e3b8712f1861a35d857c05dab5148ffd929
SHA256 7d5e8bb53ace1be237abc52bdc60cb73433794f30e5f428ab89a7b44fd28d6a6
SHA512 9573afb780d5491d05214f960a8acaf7a1dfa8728146277f774fa352afd76272bebb704e5af19099716f7b1460299471ecc8469e70c8c93ff13fcad71fdb77d6

C:\Users\Admin\AppData\Local\Temp\WUMe.exe

MD5 cd98f12c1bb086f09d88aafda9b6505c
SHA1 6eb9dd99741e8ecd439d50fc56273259f2364928
SHA256 775982d4e43ea2e8500013db265fde5904a47d1b959c555e18f242a1f30e53b5
SHA512 a8fdb64651c93bb01ac500b8ce2cb1b294ec6c5ec18a0ba3a645151e80cf8e5213fd354637eae7a39e0d405e0127bd164cdc856fbf4ad3c7203560d4075b4df6

C:\Users\Admin\AppData\Local\Temp\UMAs.exe

MD5 489e3b6fbe8ebb6c636e99a075f64a10
SHA1 369a792a5335a04455c11fc110d0535a0e4920f7
SHA256 f5ab0eb938f971be45008288a111c2156b7a48d5497ffb6117ca8a8da1d8a81d
SHA512 060dea00b9a9091e0d8c722cc91a8dad64c6866af0507a84f18de3bd8270892f8cbd6ad2451a19e80ba8970cf77071f20742c8d63222d87709cd9da529ea715f

C:\Users\Admin\AppData\Local\Temp\ScwE.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 96e555bf70e056e44a537fa977e3fbb9
SHA1 62537b403b01a6834538569a8c2e341d11743eae
SHA256 b6eb47d852132a7616df1df1fdac218487f55d547643961b925b6374ea7e08b4
SHA512 ca601b59a5d57e19c47c01db062d3bf489a0f3a323b45f80b66643c8c2481824999d9c027f4a5d225da5ad75efa88d3c73481ed2998bd3d3a7e952b44ecfa124

C:\Users\Admin\AppData\Local\Temp\MIYy.exe

MD5 1f89c71020b4450126efcedc19dabe69
SHA1 ec6d741a29b558af7be4a90badf2a1b7af97b073
SHA256 0b3efbb13fd7a2a638325f6ba47de659398acf8f57c71cc20a8a3d771d1a2904
SHA512 811dbc736d75224f619260e24a3aa8aec22788d96c66ebce090dc4a109ddc08618dcf31b1e768def8ff895431c8bd23f446a4448eef5d91adffc5d9f0ad8ec8f

C:\Users\Admin\AppData\Local\Temp\QIUQ.exe

MD5 346b51e267d8cf96d09a993816c7d832
SHA1 eaab55e639c86e1a4cbeb17bcb60c83d6036d489
SHA256 6b15ee62178d3ad25d8334a8995eec7b737d5ce4435c292ce1d4bc9df988171a
SHA512 ae3b024995a8d7e4d1de9b61aa42abfc07be587f196f1d39d7d429ea54ac85610a3089c91e48c455cc737fc9fa36faf8d8b7eb3d01fff06467c136435c2eff6e

C:\Users\Admin\AppData\Local\Temp\kAom.exe

MD5 712caec265898f34b26d2d525acaf895
SHA1 96eecc85a26884ec56a174f7dc3db947b8db00cc
SHA256 991b78b9ed7807a3b4354ae29732f8f396240395e3c22c70c03b62ae5d0fc0d0
SHA512 a0f284e9f5fbc638c6b21a8ce7ca3857660fb80fe8d7713d3032334f2f178bf5e3dd7e1895cbc0b4b2c8b03d5c0bb80f285a29f4a5035e04ca4122a20246f2f1

C:\Users\Admin\AppData\Local\Temp\MAkM.exe

MD5 e0c790ae0477c1f7d1d9ce2fd6b3efff
SHA1 3ee4d5b9a20b1f965f165c86618e6d11d8cac028
SHA256 35b0bd1caebd91990af40aa1d229702a2c06f003926f70e9a5e6f1620206c960
SHA512 3d83161f0170d9d3d9966e18e13deee8f31a2cc74df44499307b8c8eeb9699f16487e4e57d59af6c0b4d62762204dd7ab0566836a4c68551768727d8ca7338e2

C:\Users\Admin\AppData\Local\Temp\Ucsa.exe

MD5 8f52f411e6515b13f55d42cc70753860
SHA1 18060dc2d5da7c33506ce034d4b83b0874516465
SHA256 18f43c7270f1789f74613d40ee66b4012388b01126ed1f3b66409f2e25a2a495
SHA512 e92892d042366a65ce82bb7387d281119928a5cbd314fad21d100adf0676689328f0285ca948c6c45c1b0816fafb54944b30d2c5539c3c69842a5d9a8ea9983e

C:\Users\Admin\AppData\Local\Temp\Ugki.exe

MD5 99361aff8e5477a8d7ca3498df3419f1
SHA1 b7cafe5d2f6f3c17112c0bf4d9cd045fc25f0948
SHA256 07a81d1ae21188e6539a29717373caee9b2ffcc367a7c3936009e10fe1091f56
SHA512 2d1fd7d9209ccbcf6cdc0504e30e016cd6f705f7f3abdca65d40e1b5d43d5f4a922940c07214c72e04736588740a7c42dda96b9a1c951474b1d846df9c4cdd47

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 74d1088c52dc6363211227e43a9c4375
SHA1 4e12f8980fca09c49e483748702365fa4f22b50b
SHA256 1a286cd813cc3c1eab574855a6d77c417c2d84c282bd348cb3a936023054954f
SHA512 02c22c957b1e4c7e09062dc756e6edf13ef3dbc963802c905cedb7c048fb509a9c28d45796bb5085c99c2e103c758a7a70297f64d9df32b8d0a89f79298416ce

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 b953f08a1cbec6529eb8e552dae6390d
SHA1 d1b77cd457085f0629911789319740d944d84551
SHA256 01dba662783894a965e1d6ae30695cfdaa54a955dcd2b7f4a25d0453450b0dad
SHA512 c1bd9cba7935502f4615c11b0e271a6e4a1ee9097096ae73695d08dc5f5431cbcdb1ce445f4f9861441834fc609ed0a88afbe6cfe3a5b948b475ec784955bea3

C:\Users\Admin\AppData\Local\Temp\YQIw.exe

MD5 9ae0fb11f3b4d0d95c6ae332cb00e480
SHA1 55a637757d1485290f8f73f578f3f35edbc67856
SHA256 307251052dff31aa1dc55d50599c77e019f336e4c10966eebba8ee091ad96527
SHA512 31a29434d79f4d50d090203623c3cd6df48568e6e7281e71da3f0405dedf907ea364f4f81031273e3491bbe0acd004c4df73b708ca12a715594ff0ccaad322fa

C:\Users\Admin\AppData\Local\Temp\WMUa.exe

MD5 389acd6f014635c78dceda948d78ec6a
SHA1 8f98907e4e9af861a54865d3c2d2e80b701d4ec8
SHA256 367257d8bdc71b66e8b455a910e7e71ee0e22e571fbc7218a7c8e401461f141e
SHA512 c5d1a2dd27d67e3a8ebd337b41928b88b50f409086899b4797a0ccf1f6d2bbea9a6227fd92296f98db370269d0e9489dce254bedb922a09ff621b01de57568d9

C:\Users\Admin\AppData\Local\Temp\GIok.exe

MD5 bdbc71c6466d697728132d7bc21ffa24
SHA1 35f4a5872d66f42ed3bd92fcb79624737679c5ed
SHA256 01a8f3ad75615ef8f6e8ef5874d8e0d7d1fbc998dd21b9fb05b11f13c401394f
SHA512 cb4f03d76bc9155a81369f5b21bc675ba24bc36d017ba54178b07ced735e40513656e1b913daeb0c539e9209271a994255fee48ee7862f9ef612f1f633130817

C:\Users\Admin\AppData\Local\Temp\QsYA.exe

MD5 d2340c968f5b040b0fca659a646bfece
SHA1 b0c6df96011f7d6172510a43aad4b8559856a545
SHA256 ec5c31a2056edf89adfefce84c4e58af0c01db11474ca29c19d80e591d9407d7
SHA512 2112d3b47591ca5a58434cff64b3abdb92f91930a0cd68c606ef9b1989455b27b921d7f561c8efa4feca925f557eecc727c38cdcf38f535d928dde65f05ba396

C:\Users\Admin\AppData\Local\Temp\eIQS.exe

MD5 477ea3c562e8181b0750fa455490fd64
SHA1 0579aabd68aee936e5c05293644022a49762bd6e
SHA256 adf9447dcdd0918911806794b1916eb8b6d1dd8776cb6ee5c68ea245ed1e12fc
SHA512 09a4afe332d328e0b81494504460ffccb9befd0a98b7758a280a315dcafc2de919c85ccb579feddbe302ef5bcb4b8777e7c2f0ea3124e8c4e58c93f96184bc21

C:\Users\Admin\AppData\Local\Temp\CgcC.exe

MD5 21a885f044770cff1dd8f7ec7b966e3b
SHA1 6c5a7fc2b12bae0252254cdab00e73050fd60b62
SHA256 0cfb460466adc91d922bd0a2a32085eacfcd4f38ef1bd452f1ae207c79493dd4
SHA512 e4c26e9bf97caf0a4553236b2a40a1d4016c6e5af18fdd019a688502d2596bce15ad976a99197d015a4b056f006b2119bf2b00c7bc1428046971ca1cf1931639

C:\Users\Admin\AppData\Local\Temp\AEwW.exe

MD5 58c4c6ca6af53f1aff5d54395aef4bb7
SHA1 c5733789a5eac17c3cf9f53b00adca98c5a24bb1
SHA256 54169f54164f09b65f02ec2dfe9ca07a16c3f5b5233ab513264fabc8b6644c8f
SHA512 ea67c7de25a768f0e605ad12abd2dd8fc118e11f4f52dd57d22c4b176fbc11d6df504a9e6a41a3f133579500cc2216fecefa3e4b8ec1edbfd06da6c1cd1c642b

C:\Users\Admin\AppData\Local\Temp\msoS.exe

MD5 dfa42ed71e847ea4180d163ca6e40e7c
SHA1 fb76e22473057fffef913108797376dc45cd8b45
SHA256 242e14552125322fb9c8fce6d7e41a2ad64fea9872bbb686bb8774f8295e2c63
SHA512 440b0055b3be75a5dea1f8cd49c4f30dc178348a9f828f2efc41733ca64ee87659ca2bf5fe1f4446ed69e3b3879efb16ba7b0a0f6a8878dcc64a5fb04cd8504c

C:\Users\Admin\AppData\Local\Temp\EwQW.exe

MD5 9a8578884ab6674ee546c150fff1acd8
SHA1 abebb438d8349fbe04b31236e3ae472805d3134b
SHA256 1dce2fd975183bf71963c52a53adcf7241e3ba36a54d0548606c6c23877836e3
SHA512 525c46c9483778c917b5dc4dc6cc4d8b0eccf4ffab9aa9137c96729ae4072b12052e2f9c73a51b599c52322f1c1556034b1d9e235109b98e6226469b8db682e7

C:\Users\Admin\AppData\Local\Temp\CQAi.exe

MD5 24b369a4bb1cf3c0921840214ad21762
SHA1 8885c990cd55e397eac2644b1ca7842dc6a0d4b0
SHA256 96f9c636e0a2b6797d21c8e9c207c2b49104cf3ab8d66835f5b626921cf8c97a
SHA512 1cd8bccdd46f3dca1ae4c86e22a2c034cd1931f1147c3678be20468bfae5fe20286ef2dafd3878fc4faa8b42ce184d329d212e866325bf2306e820d12b673873

C:\Users\Admin\AppData\Local\Temp\EIEC.exe

MD5 942e65717e539b49997fdc568bfab93a
SHA1 41d9390481edb296369772dd5964e2c8674358c4
SHA256 e0c2beffeddbcf13c4f52c39d112bfb71a2c1e0fc5604929d42b81dc06164b6d
SHA512 a92227c0421bfb87a3d5d69cba712cdd832abec8fee6dc9754ac4d9e5313bd3d2c5ca2a40d86ffdf5225d798bb7439cb32b199a6147bcd2561c2f59b01993b8f

C:\Users\Admin\AppData\Local\Temp\OIsy.exe

MD5 069a3f6290b86e2f8f568773c52f8b0a
SHA1 b392fd80572ce0918d63f0adee22a67ba8e50730
SHA256 ed04b50e46c443ff8a61b5beb9def68f529292626722143951e14a0690a16aaa
SHA512 d57e918959ae51022baf90c3e6d2b52f7c5315417fe3da3db8d464c9c7c9cfb6a642fd5975a0d8c4d81bc7eee1fb7ad7eb8f0e603c5f74e675bb5ea8af7f71d7

C:\Users\Admin\AppData\Local\Temp\uMYi.exe

MD5 6ea9ffa4876d95992983ec3d0b058b98
SHA1 2d11a8f357bd501c2bf4575425f907dd760ce949
SHA256 f98db9169160120646837da385ce14bcfbd504824a447d76513a6e981a4feba1
SHA512 2c6ea8cb88fbb5e6003c8965eeb1b34d95172f6ce603f7e112a8c9b71a87c1519d822e41aef31a33c10b46a4aff17eff58ab3b74ccb09eec9017f7f4c8df629e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 ab28a0d6cd0211714b3a855bcab0a32a
SHA1 f8ae535e3ef3e340fd460eeced5068d9cdcae9bb
SHA256 921dae72afc8bf4f9982a70ca739fe34a4abd00b22f763327839b24e431a057a
SHA512 4e3a81d0b6175615282cd96c1a8bc6d3368d5e7e5629047136c517e931c4399bd92fbd56137747ee8beaae4efcf0c941ed2359c464aa225ed59035c299930037

C:\Users\Admin\AppData\Local\Temp\goMc.exe

MD5 a7008fe6423de02c17d3792be006bf0f
SHA1 505568fd7417610521bef40b0d205bee8a2037d9
SHA256 2e324ccc2da41d51a975c92e5be3dc068931090111f1bb8f3e85db3a08cafc96
SHA512 8122448de3100ac8d48357ac21f1730f0c16a4c85cbfe7996671b8cccfe91a7a98fc27fbf486c6c9cff1839be83ef1392f23fec26ad6b4c9a54660f6097883a3

C:\Users\Admin\AppData\Local\Temp\Wsco.exe

MD5 47d65077cac5e82357adeba861a4d9e4
SHA1 47ad6609b4c966e8beed513d00e8db73ab95f9b8
SHA256 f315e24062ed386a61fc10bd9f5c0f167806fd773d46ec81971d163b6d51d252
SHA512 4179b89d0863b4b4bfe976c4df8bc988dcc6a09efad73d67b6ff533d62561fa5a6ca397c99de843fcefc1d32286c4557e147b984f09c3b9ae16505b15bb34dec

C:\Users\Admin\AppData\Local\Temp\wwIi.exe

MD5 b001b9434f7048401ac0cd7873910e97
SHA1 86203c09d8642571797958459b9e4c621d862ddb
SHA256 190eafe21834d0dcb4b36558cd02c8dbc762991513f5eafd39f33c1db0abca0d
SHA512 2c531778f3ce99f5592b24a7c9f2b0ddf774ff026dbd680aa131e0ac7c600abdde013d5530807cc970317fb257c0bd982e848462eb63f864c9f68d454a4abb53

C:\Users\Admin\AppData\Local\Temp\ucYo.exe

MD5 27d2589fece008d9c86d9bcacd4fbdd5
SHA1 69380a15a272fe17088882c6056f8700a8c3de4d
SHA256 d0d10dadd6147500e4b8e2cf414dfe86af769d4baca16cb918b1204bcc91ba42
SHA512 ffc73bcbc96cca6bfb79b5fe6eb41e06dc993a2c8bf03de316f95897881af6c33e120babe83c89b394fbd1a823bd55219db827655bd807aadbbe3553eab58bbf

C:\Users\Admin\AppData\Local\Temp\QQYk.exe

MD5 f5dfc64b01aa2c1fe69bb54af351ac61
SHA1 048fc89f000c78a2ac4a0c88eb3d8c9bf27092d4
SHA256 d4e1c49ce190de329b04ea875b69c0ba9227ab65bb7da20d786793b3d2f55bc6
SHA512 eb23da974716e2af92a67e8d9214eb27588893fd1d01e81910bf23bc2593b92b6c1ab4836c090bd1936ad2402c20d05dd49bf2fcf4d75302ea4d43d392157266

C:\Users\Admin\AppData\Local\Temp\WAQE.exe

MD5 bbc5ffd96984a5ac0292b23329b73c6d
SHA1 276bfb6d6f1d8265a79a8e8423a45e85bf2641fb
SHA256 f6d111fd2d198d2f94b8a132aa0dd455e00d279b971d217d83ae8329e05f1117
SHA512 2d14c638c069ea27bf13ae4a929283626230710a1aaee41a34cad0ba1fc0ef25373e8af7c80408d7eaa807bb023dc473029e614f7664cc8507d63844efc29bb3

C:\Users\Admin\AppData\Local\Temp\eYQK.exe

MD5 50f0dd816de5c4674f1fef690d2d8356
SHA1 5cf412acaa92ba9545a581cf7df55e66d30c4987
SHA256 b6d7e03f94ed8aa1a2118f89bc5a542d7bd625e6503b46f5d8c7f9816852378a
SHA512 e67d53eea604d22d11b15e4e6abfc8b173263c4f004262ad09d3b59aa8b04ecc1c8726549efe6ea45f32334340f61e7c71d25be80a3573dd07b0636bf897334e

C:\Users\Admin\AppData\Local\Temp\osoq.exe

MD5 310e86b26320b83a364792bb118301c7
SHA1 9f0aabdef6088faac0c54f9855ee781fa5def6b3
SHA256 6f5c00ff213f3336dc077edb650b122be39b1248760fbabb8401c72cf13afa21
SHA512 4b4437118ea4127d11097988ca4f1ac1e97bb846c47f43299685b47e690ea65f2a8c544763fee673b90a3a64d10d9a6179aca4c90d95329870975af53b62c9de

C:\Users\Admin\AppData\Local\Temp\IooC.exe

MD5 49949c52e32dd2c2c32ef9cc2328e588
SHA1 8a4e99849528e9559ca7729e586a0fd989d4ed0a
SHA256 ba9205d41f5d7c1c2e5eb836122a7ae6c001d070655cdb1aab65a1793ff5d7c2
SHA512 64b378e7c82abec39b0dfe07446e813a91a196400b764d369a8c6299f119a2d48b0be36f921f08109ace6e65aa5fe63e3304d97837ad7107ad90fa5c975a65a1

C:\Users\Admin\AppData\Local\Temp\IkwO.exe

MD5 7be5ce6e75fcdcfaf17ff4ebdaf7f15c
SHA1 17f12285a89c9c85b36096e3fd56baf2a27d3057
SHA256 5c104e2262ca4d134100bee2fd4f6433dc47fff639721e5f0eb3a87b1e520952
SHA512 bbcf23ed7a376cbe310307a5e1945613d290ad65e18308c69b162e327bf51ee015c735fc581cba349c7cb25a010ce635b5e831df814d6f633bfbac7d00b30960

C:\Users\Admin\AppData\Local\Temp\oIcE.exe

MD5 ddc25563a750c801515a841f0337db9f
SHA1 ce1698794c611a974252fa2269e4b40bd836fb50
SHA256 246a5c370050f024a9d1c1366af197df3000bc737499126be6babe8c047104f6
SHA512 74b8a34adf330272caa29279d648fe1b1b7e5bdd5bd73c0f5a98a7da5cc4120015954d12d5d089d021a1d8748569018ad57f98096959f36e9f8b8ba6338d65a2

C:\Users\Admin\AppData\Local\Temp\McYy.exe

MD5 673d6d4991ed9721ab027f18aa5ba19e
SHA1 d0ceab5b86b8c6e1aad97df968b139edc7a72b6c
SHA256 533ac08b3a12440534e351e15e597288138629b5147244b383b93899a6809b1b
SHA512 aa60516ee011a281d460a4287e223b05477cb14e0a325e3b82c1f7e73e4c3e5a9df2a7ee653a17f61d4c947c49ff6a2648bb2e1029d0151048c3aabbbc7e7a9f

C:\Users\Admin\AppData\Local\Temp\CoMa.exe

MD5 ce27a994d930f1d7a96424b235f942d0
SHA1 beba1a0399938be2937361d5443da20970fcdf6f
SHA256 f850f1a346a72f0a9b583ecd4f609f2224ed80c1ad4b66e876d318b94874a4b6
SHA512 68520baca22df06a6b42e02b2d8fd5ef8259d57532cddbb205919ce32d6fed4a7c1087c7f2d5b35520d2066f6d91f1cee54bb1c28e0e5b4db45a1fc422b82624

C:\Users\Admin\AppData\Local\Temp\UsYc.exe

MD5 6d8ef50d66de878b1d8ad21ea7b6cb01
SHA1 7d4b339f0866e812771a33bddb3849ddcd75b999
SHA256 946cc93014744a4a1439080c020672613a59b60bf4afb49c1bd244fab4eb088a
SHA512 b3366b7896f0382579d614a17d483e50821a7b36b410d4d8bf9e7682a42588f216d461ab4a241366de08966d55691335e6b3a9b5c8795a66c2eaeb8390518710

C:\Users\Admin\AppData\Local\Temp\MwsO.exe

MD5 bc736d5cdce5f17abf5e6a0a275a88c1
SHA1 1b93e23771c011e8f88f80f253d7642918e294df
SHA256 af13a9c74e64bf317995c954b323a04855cd0e1b957ba93fbcbc461e34a22f50
SHA512 32e23cb3012f6f433cdde6913e64e2e3771e47c057f55e182d02a45f312d7acdf4122735c249219b2e21a2315bd3f533784ce470d06fdc517e569e3b2a43d9db

C:\Users\Admin\AppData\Local\Temp\YsYQ.exe

MD5 0c162e96dd1e93ff0611b2fd434b2a85
SHA1 3450ecc646f534cb1d27046a5adc83d90431d2a6
SHA256 9168cdb4154796ea5ff9f06222989333cacbc24f1eb59ad913ff501fd4f6279b
SHA512 d2df7884dbb57d395a76be6cc8473280f3e4e55354d5fc88969fdaef405031890af7d028bfdfeae063a305e6f857a02c6d1fa4e65904afc57698bc4128f19810

C:\Users\Admin\AppData\Local\Temp\ekAy.exe

MD5 49bb7fd3e17f472bebfbdf9a4a8d0bbc
SHA1 b8ec90a23edabf4f76a6c3fdfe50e2c9c549adb0
SHA256 827c28bb3143512c10ac5e7afe866a7d73725cff92582b687573f336d29be418
SHA512 1d05c234f9820e7cd874d33385117e0de632d31dc9628981c6361307af3fb934200b7034ac6e3bafa311def72276a132cfc651bca9818c13ddcf6bfd64522abf

C:\Users\Admin\AppData\Local\Temp\MEYW.exe

MD5 53b8392e54e4206f0a0a37273d92cdb1
SHA1 ff06878522365b7acce0971176b061d9cbae7e84
SHA256 2b0f0b2be5ca4c5f7a15d47807ddf567b484f80262b7a8d1e1ce5c3858b588c7
SHA512 c11177012168d5616618ba9e846c90cf23b14db34b2b186d5cac7d461fa23cfc2cff24025d43cc1e6180b98475fda43601e5aa348b5013d95e0c2681f7951ca9

C:\Users\Admin\AppData\Local\Temp\GAIw.exe

MD5 9f7d014fc85eae9e86d8807fb94dae26
SHA1 89869b6e6d2052418756879ee10be5e6dc845de7
SHA256 23adf26c79251b42882c627c285664a97644efe24f2b4d3b0a7a579364ff1167
SHA512 95c9f07ed5f9b59926e3d00f4e2ff71e04c79cba4f73f0342b144bc4394764b5d184d3df01076f01bfa31bd261fbd39b7f162e5d8122d1154cdeab999b9d8794

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\96.png.exe

MD5 25c2a5bf05174996a80bc2eb779ca6db
SHA1 a337a9482a02d534a898a265a9a2cbe6104ddfeb
SHA256 b0bfd733d7c420d6ab187dbf825d32c3eb3a8979fd578748101d7a064121f61b
SHA512 ac498db9f2839fa2a23352d0f7d74c40aed68346baada9c2563f446f0c3cf493169d9d8a6a4f2862faa48a0fb6de45d10764678d64478f77a49c1c04c007d44d

C:\Users\Admin\AppData\Local\Temp\oMYo.exe

MD5 35cd0eaf469768768562264a87b21502
SHA1 3ff39de3d9ee84ae2740fc1c3c5ec16ef180560b
SHA256 dedf6a7c66b6722cb5b5a223de9f7967138539afa5ca263fac62a0f654503fac
SHA512 b09c81cf12d2b724c4f0c36d9898b7833179cbde32c3e429ce46917dff8002546e33f8d51ad4e19995043dd157d1d07cfdae0b80f6bb7d1046801c8afe6af5a2

C:\Users\Admin\AppData\Local\Temp\yAoW.exe

MD5 04c50937ea9f6aa3264ec397806a9a4f
SHA1 27fec340c05d56bf2aaa4068c4aa3171a69ef18e
SHA256 47313c8a05444617ad3bd4fa4a5d6644d34d129c7d067c6e539b4e1e884eb862
SHA512 797b7093dc2afc7f96cbbd9ea317a2c87b87d3e59f762e7747ffdd39b15f8a95b1b9e0ba8bb46cc017370feed7d9f136c3d0ddabfb8672cf6ba5fac9a24760aa

C:\Users\Admin\AppData\Local\Temp\kQki.exe

MD5 994f792309cc9e0f4f4765061154b3de
SHA1 951aea688d10d1d5fd0de85566d93bcb7455288d
SHA256 31dee757024e525c249d01ce9f3c1bf3b6d14d55509d49a305591d260c63fa60
SHA512 7de3f2eafc240f4b8889de9a44f6184e9e2d0766ed5befd178ad17f8485d284a0e8c02053db5b6292372450cac260068172c1eea40bd02aee7ed5ff9bf685521

C:\Users\Admin\AppData\Local\Temp\SMwC.exe

MD5 ad153a59e35fa6980789284be635b553
SHA1 1a3d2b5f2c07eae73f3cddc129c252ac89c140be
SHA256 adf7cb3cb846424e69e9273b4b75308f40cc2571edcb31de7d16fc3034f29acb
SHA512 224067b3bc21c89102518c55b062df5034d8cee946761986a3e5435ac33bb7d717a62aabdd02d53effc2204f508fefef1413de21a82dfbe628b52f59e57c828b

C:\Users\Admin\AppData\Local\Temp\AgEC.exe

MD5 a5c42e1b84693d4c604a22707ec65377
SHA1 23de0781b1fc1faa764c92db1aa7ce556f294c76
SHA256 c2e7ad867ec25d3885dbeb2b505f4e5b4ea847ccfac6ec8c0aed68f668e040b7
SHA512 fbdaff2dc76da5deca974cdeb6f426d76797d732056328927f64ce0437807cbd61294e34c29643849c7138f06f59e22921966472c7a802290acf64cab6be207b

C:\Users\Admin\AppData\Local\Temp\GQUQ.exe

MD5 610d4de76c4f4aa0b92f2856264da304
SHA1 66e78816b2e1129cf348093e1cdf23067426d35a
SHA256 6596c8dcd7c71f4832494e1f4e81259fa6e3caa7d418bf85f68632334d04442b
SHA512 153b50f0e17b30335983d7dbc628c53ae9b7b827fa5dde38e2bfddec2e77cdf0dd045d7b37dda614908391c05c7b18ab3734e19b9858c29145bd5c966d8028a5

C:\Users\Admin\AppData\Local\Temp\MMIe.exe

MD5 32af6e59e3a2a7b018d273dc1f3ade1a
SHA1 81a04cac02817a5a431f44c2b7dc3f695187077e
SHA256 3ccfef44d00253e6550dd5584187dfaa91d54e7a03311c02c7b42cd34e6363c6
SHA512 03b6d3f9caefce712ed2a7f70bd67e1afc2a9c57f7dfda5dd5cc58f42500bc230445ba7006df39cdfaafb4443aa432b43d28ef25b2b967acdf57516abbe52608

C:\Users\Admin\AppData\Local\Temp\CMQW.exe

MD5 0c3316c0fccbb0754be5ed0ef16a2a7a
SHA1 b008098b14be70c12db108723c0edbbdf325a38e
SHA256 90e12b50a3c8ce8e73356b9d091bc686b85c728a1227e9f3dd6b0bbe81007854
SHA512 01ac2ccff5cc790b4ed511e6765af9382f4a1b043a4a26271608d75ee76e009043cc65934e9a52cc4d29814f5a9a0a6e601c8e820b6b60b67b8c388eb0607ff9

C:\Users\Admin\AppData\Local\Temp\KkQU.exe

MD5 3e246425db73f7e3ed3e4ebae8729eed
SHA1 6496034dc3261d57679c14ec6787466ee0dcd675
SHA256 4e913cf22091b31fb4b27c5201534c0b0aa990876bec1bd4d23a23f8bb7ea0fb
SHA512 c8c1c28acc368860591d60eba8c4762d2b0723154520ef0e640d6ad1a806b67a8bd3710eb9e1ea2890f7d2cb08afc2f0f10be8a3f8fb857a65df9e997d68aa53

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 a24e226c3f79c9f752e8179b5ed8ce3a
SHA1 f81eae02464f8428d3161a8b0b46c58ac65ef2c4
SHA256 f16c4d5cb6a84659b6ae7414061956723dd970d2cbb2f905fedd952f9dcb2d8e
SHA512 a84a31b1c5809fe7246b413505070328f872c9328df9b6cc6c6269649c06237249de904a46c19115f331d4e054231be0dd05d1fc8cb6b130864223207fc1d3e6

C:\Users\Admin\AppData\Local\Temp\SUAK.exe

MD5 7e73a1361575d6e3c12f22375530df81
SHA1 b64f04077b4a80037ec59b3eb99920925057de8b
SHA256 4852a1bf75dfd391045352ae19e65168c9f65c18a10619ab65a915f32b3eeae5
SHA512 1a004b670c2e65dfb405fc86865a7f8429c354f28626196cb27f512cd91f1f3f1262cf6d182f17f18cf8eab7191a850b6b44069bb74238aeed358b8c71cfd30a

C:\Users\Admin\AppData\Local\Temp\wUMq.exe

MD5 32c1b9d69ea7acfdaedfa4f86e741005
SHA1 86318a70e07a2929c98914be4d3644612a8cda24
SHA256 08eb1ddfda5a3cd22f0c32d75f4060bd07780eea9327914bf5c987589a894c48
SHA512 76fdae8f8533f747805f9446dcbb5ce100787d126c63a2f25692d3157085ce2077727939ac800949ce5a4555354f4a13656ea1759f30f17a5eeba4909e43624d

C:\Users\Admin\AppData\Local\Temp\ekoK.exe

MD5 97746c6807dd31248b8925d1df0a83b3
SHA1 98c632e7426e7cff179410f09b20624e90a8ff51
SHA256 e26f20c6802b99eb89a19c3406e96c9d449a61d3422880bf699e64e72ff8b28b
SHA512 8dcfa21936b08ab99742062064a818abd1aae4f47f7c5faa735d3c570b937712e7001d2104f88752762fe7937066040b35cb2caa60fefe0fe2f8bd342e9d95bd

C:\Users\Admin\AppData\Local\Temp\GEEY.exe

MD5 4550994066d890ff0286001800c17e33
SHA1 6a18973ad72b8a8a972b1e9a70d55a61fbc4114e
SHA256 87c94b364297cf53015ce5aa7c8bfb24493cdc3c3ed41f6ebe0d483c2cea4c9e
SHA512 ac6e66f57ca62da89735c8584e80f53ad90da7673f6a2be330fcdf74e6a574c17ffc28ceed8117c88e9562e42d91ff34b03c80958b406d831628cd5b3c70397d

C:\Users\Admin\AppData\Local\Temp\Moom.exe

MD5 5917f550f6bf64062700e4e4f78bde6a
SHA1 335c3f61d3da044475b58a9ba72d447417fb3812
SHA256 4b8a27dbeb0b2c26da76924e41e0318772a92e2d38dd8df7316c457f27d33ddb
SHA512 50b7f3f6952b4fb0098f1c38920623516d9f0002b388de0d36c1b72b6c7714db9eda16c7a49f2b79f7456ee5d43dadef40bab9be6f283351b0af26ae8b872170

C:\Users\Admin\AppData\Local\Temp\ksIk.exe

MD5 b0203c7f05a9c5b674d958c3b8cfc970
SHA1 d079e6e251cfc3b22f411c297bf2f69c643eee88
SHA256 4930bf7552892d01c63328af2a67e05893a1b5e6d84dbfea59e4a4137717bfeb
SHA512 3de86335a7d93049361e840c8b7a61bc65472d0fe823e83e74ca5fbb5479e1ec4f643e7af5df90e1630c12dd2c8129f26aaac2b2189497245749ed32de167935

C:\Users\Admin\AppData\Local\Temp\oUIs.exe

MD5 1e4146924efde7bd5f50f45c5d430cb4
SHA1 d8a7118ad24d6a467594575d5212f8afdd8ddc13
SHA256 546b5bd77bd04b251d29a76fa369f463def8dd54cd8f477e91be3c3ea4f8da6a
SHA512 62032a3ba3a527006212ed251d8717a05d0c98871b656267c4d6676e877e01f7c013484a7fec5fc3f6084bdc3ffa561d57c9bcdc79cfcb1d7c8a667f5723c36a

C:\Users\Admin\AppData\Local\Temp\CUce.exe

MD5 81f9b1dbf26a84bb9fb7a448e6d654c6
SHA1 9d73f42c0ffb5de54e4a293cd9d1d95179229072
SHA256 631f5c76738a78ef61fd157d2107ded4559242de1f0ba4e400709b40e81eed31
SHA512 48ec483b0e55e7167f0b67724aa32e5c0e3932c74fbbb79244442f511fa940fb5c781ff250dc0432301ba2cea0832f06bf8861fd426680e9c26ff2072ef6144a

C:\Users\Admin\AppData\Local\Temp\wsQk.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\kAwM.exe

MD5 5445018172521fa2f5aa496edd9c0e68
SHA1 e929b39c3ab1a9c9c18c80fdb6a4e8435bd71644
SHA256 e6df692e7a16dee3bccab344d2bb909d0fde08c9f8a7ba33a957b688a2875179
SHA512 3cfc40fd1d305effc7f774c0b47bba480263d21f1b8323c3a90fad2920585e1bc5cf4dc633256cb8a5ebf1d6afff3b34ca63e74bbabdaaadf909142215801323

C:\Users\Admin\AppData\Local\Temp\OIMi.exe

MD5 4440bada4c6ec28297ab766d71454401
SHA1 b8aa1003fc44d413c0d398dd1e2a84c67bcaf6f4
SHA256 687fc53778a95ee892c4a1163347eb6df7e4a2e211a48736cc1b2524591ffb1d
SHA512 58a9a5cc071cc02ce1929a062aea8c859048fafb95c1558abcc672c3add3d0c766581ca63e4b018df75803e47fc2a682fa93280a3d9210d0bc88ad5789153e36

C:\Users\Admin\AppData\Local\Temp\ukwM.exe

MD5 0d52b393e144dc09a5c0784fdd09713a
SHA1 76fb19cd18b3c82955651293cf4ea45d01054fbf
SHA256 4b468f1535cab3c5e17c9962f31eb4fcd70d41b2f77eda778023a950ca3beded
SHA512 1f12b9cb36e63ef7181a285801d5f643f5a05e275c4dda5c88136a843eb3eb512639950342098c24d56b4116100725cd045b0b845b5debda4d10ce6fa0ace77d

C:\Users\Admin\AppData\Local\Temp\mAUg.exe

MD5 bfbb02c9b84bc75b144722b3c7951bd9
SHA1 9468b17fcf6e2821505e762887d8583d40d3ce68
SHA256 2203548b32cdb3cd89635424d9e9d340152234c25892a58e4d4f2f434115345c
SHA512 71216c30e7f6c401975cce4b3b1e173262d91766a25c5a57a17c21323eb1be4c4ba1a17b055a599ee6cd5157217a00f86dab8c629fd61fdee0daffb7298b5951

C:\Users\Admin\AppData\Local\Temp\ioki.exe

MD5 22e31fb64978d38ef56a7f6872f37cdf
SHA1 dc573ed255fee58217f88980ad0e04e08b1e863b
SHA256 fe54342191cb641ac459d0b857891820ff1548ed739d2b74c6a82bae3d0c8a1a
SHA512 b3251b1dc02035e125e58b6db47f0f4902f5f4e090b59cafe890c76cbd28589804365e5fe4ad25e1dae9b0649d595633998a8090a9d32fe1463de1c8d08eefc5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 f0e4e0fdd9ad00bb1d9247226750df33
SHA1 d7fbe47a563fe8ecd960f30feffc34ce0114381f
SHA256 7095786d98c03a694f68eac79c90f2e9ef87f09c46f7ec09be85763171eac0a9
SHA512 bbf4bd3df71842bc106c8ceeb7ec075b5684f51c9c9d96009dfc5efc16936b2ecb01a2701e51d1bb59b74e6b029095a9ab33716ecf5bc8076fe264d52fc897af

C:\Users\Admin\AppData\Local\Temp\Uwcq.exe

MD5 fa4ff90661fcf723c6fe07a36d90924b
SHA1 a309b99fec9daa86c4cce1d554a88dca888b7593
SHA256 284d42970482002fe2d1568ea7205ae8798e35b7586e999888a0cb275989e477
SHA512 7bc8ce9e39623c695bff8a688ed6334536425f1b214bdecd1321c7daa1bebd4119c2ede2a9adc296470f70028a9acd3ab65c3a39eacff1981a39a5056a095e1a

C:\Users\Admin\AppData\Local\Temp\Eowo.exe

MD5 21a97d5f365380e70a9c6db7fe80c333
SHA1 f10f2ff2a90329d917faa602c243422068f900ae
SHA256 d9c527965528fb57b1fbf6aeddb8b258c0dacc3eeb684389e049e05126aaf7a0
SHA512 1c23e88a34a7c6f1545fa5f8ea88476a979fb2c55b1fc991e8f7cf0b6619d3b627125b040f86528c9c5590012f6c03394897cfbc3a23d93691d09c67088faf25

C:\Users\Admin\AppData\Local\Temp\UcMU.exe

MD5 150748a5147279af3c49b145d5309785
SHA1 8248c756b95e01bb00b939541921166238adf673
SHA256 57bc764b7936670e392b7cd7c1c210dbb44bcdf071741002aebb2cf3416cb807
SHA512 9b563acff2f84cc4058be4b904a39b3110e2df36487353225d47b1522390799bd29ec495aa73a077a110645af51c6a5fe783c6ae0aeec38d1c0511472e6a2f82

C:\Users\Admin\AppData\Local\Temp\OUQK.exe

MD5 ced903d864fe4f0309b5c81085d5bd26
SHA1 c67938d93c4e04f8c0ef557fb63bba3f305c620c
SHA256 4f7afb255456014eabfe83c8c642103cfaf3ba9576121b21b08f13c03587edee
SHA512 64660cb03231887d936a7f451cc5ff5b018009053c0c67726e1d12cd28489489d46e5650838a78db514902f21818bddc9ba990ad8fdb7b6a280166e9505ef30b

C:\Users\Admin\AppData\Local\Temp\AgIS.exe

MD5 5d4b54db3f206ae402260f2d5cd78b95
SHA1 4ede083ff562d81953fe766dd0838b9fb5eb9443
SHA256 253567e66881ee822042e2a2829302181afeec9843e424fa4724144bf5d72c3f
SHA512 cde128baefa3f398dacbdedc3280e904542750c1295e4d72ded2402899287d0dab5f4474676608302fe2d22377ac09b776364dfe8299b92d8b9a834e50f29530

C:\Users\Admin\AppData\Local\Temp\WIIq.exe

MD5 c083616920a1c824341f982a4f26d1fd
SHA1 52f9b0e8527d382ccac8d75df22b41240fc09f2a
SHA256 8807c60feb279c10851402d622f552ea4cb5e6ce16e103414a4d8d7111a11aa1
SHA512 82a1c63373a115751b96cebf2e0b5e6b075bbeca0b840a737669ff24a943506417cb1f46081866d1d9fdc9fcdd03290a8327173ae4ea2cc7d2f4b4a657e6957f

C:\Users\Admin\AppData\Local\Temp\ucAe.exe

MD5 71226baf9d366a1fffb63e6c6a9c08a5
SHA1 d51311cb0b70d0466306f9c7a5e0b88c1802bcf1
SHA256 c069fd90842b8729ac1e7933ca5e34edfec069abeb7aa7547d1e10b947c5bb71
SHA512 503e43e6e3d28fe022c2d88aae2f3248800931e5d5ab5cdc21ea4c4708056b7a85f05d3572f826f4f126fcf250cc7aa3c1792b8c5d1f1e604263e26dfc9bebfd

C:\Users\Admin\AppData\Local\Temp\MUwW.exe

MD5 2eb05149b697f1c602582a6aaeec51c1
SHA1 a2359ecc0ab9003340a5c8544501f099d431e615
SHA256 4451409e43e67f1187317cb6e26d6644754c5c79358266e248971f64b4a30cda
SHA512 2a8deecd33b78ba8dbef53aa9b1a84bad4594019b8741347fde25cd720989367d80ef8b1bc9c9505f4b63e470f83dbc5209349df3e8afb3e622df610dcaa1b53

C:\Users\Admin\AppData\Local\Temp\kEkq.exe

MD5 68aa3432009dd9095ec1f34ae5c0b9cc
SHA1 352971de8478c1049da8d6ec7ddd5fd4d79c18c5
SHA256 886fd2bf785bda85a77a24bfc298c93bdbf150215bacfb87e8585eaf04b7d713
SHA512 791734c8c59c56e95adf08f4f2985629dda70f4ccaf4d382b3ce172b33bd072ef02bff2097f039c9bb89974c5ded8dfbd2214e551a0454736ce9fcd63333e8a2

C:\Users\Admin\AppData\Local\Temp\SUkA.exe

MD5 6d0968d96eac86d1f17fab5f4bcbe4fb
SHA1 d02c5829ed1dea2ff6fa86488ab9438fe88691ae
SHA256 f7eea22eefd02b908b377374a120de6af776260784e522b90d78867f8b63a0f8
SHA512 06eccd8434d7076fc93e2445c2a4c22281a8efc6ae2651b463921c8ffba015ec018261d1afadcaea0423831a398ee3d567423e4be577a04901b6f7111ec2676e

C:\Users\Admin\AppData\Local\Temp\qAwm.exe

MD5 9459e228ed5d43506c275df922b7d4db
SHA1 84c380003a13733e752a164bb3b24a0e3af99e7e
SHA256 0ad879c2670da3f0aadadfd7373473f7a9e3229e0c11ad110eb0dc0bab2d7f26
SHA512 95a3903b39190f95d3eadd59b3bed4c09e4102380c2154eeb054dc8b098568f29f923171d64d98f962069570feb65e231fbdf9f2d1b7a1a3141610814c503c20

C:\Users\Admin\AppData\Local\Temp\ygAq.exe

MD5 7a122b7e3f92cbfbd3aa5e98728a6409
SHA1 684f2f59163673cdc2bf41e996947561cd53556d
SHA256 463473c93ffd7070b3cc30e4074859aa7dc2b6725ea0d1e2fd58254c11a8b671
SHA512 9bbe006eb1c552b15e78ff11ebb79c3dcb873e5c5d0788c0d0235fb83bdace7b4ce8d800ecf73de4b72343217a3597321f7f50c2492eceaf71dbfd4177bba37c

C:\Users\Admin\AppData\Local\Temp\mAwK.ico

MD5 a35ccd5e8ca502cf8197c1a4d25fdce0
SHA1 a5d177f7dbffbfb75187637ae65d83e201b61b2d
SHA256 135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715
SHA512 b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636

C:\Users\Admin\AppData\Local\Temp\KsMK.exe

MD5 821b828cc9096baef3f28ed2ed0f3f7c
SHA1 6b87e8350f76ba8f9e02b1d9c9025d272b34dc85
SHA256 5910d39c5c19df1bcc3836cf1a54fd67b61fedc7fbc73e124053b70cd8aca59c
SHA512 e62b0d7649598333a5d2566eb8b8e14a55daf75efb3456950e22077e0054fa71897002b5e50e033127ac299282ddf7e4bcae53a4883488ad06d7b3103e40d306

C:\Users\Admin\AppData\Local\Temp\KoMY.exe

MD5 601814f95afae87dda70cfa043add019
SHA1 c1b7521c348e4621ab25502ef56f05a4ad380347
SHA256 4cfd7316a52fcb581d21ab9668a56dd3f8890b9c90a10bd78f5a71dd8dac0f44
SHA512 eb3b8388c9c7ec896ff5942427030d48b224a23646eea29523d5ba523a5dd1ee132c8bfe5e1d7741ee50531334e2bc510cbc32533409dff37fd81a3d8d979255

C:\Users\Admin\AppData\Local\Temp\qsAO.exe

MD5 c9988553b6595c6a06c4e3bef5280bdb
SHA1 0590a85763fb88841fd45247f45662c531dbcfef
SHA256 8bb35ae5b9500f3a9eec2c1849cc6b3e5bfebf86c2884aacc407927433fbc8a6
SHA512 9f9ea638dccf40562ab574934d4d735c47292dceaef470791328d571c1ff54ab36984e83da922904f371017b54929050b58d2f8c1c7703d2eb7d2a9e612beb92

C:\Users\Admin\AppData\Local\Temp\akkg.exe

MD5 c6e129208802e8b88fae38ad35488e4e
SHA1 5d859cfc621915637d86229f72a59c91439a97e0
SHA256 c1b2f74b30f64a9d3add19eea90c8068239435468c74e433e1dcdddd326e80b1
SHA512 d2d082c753c323566cec81d8d5875392ebfbe8938ca68d723ccc19e55b336bfda2ed9a51fe7232cf15b27473b21db2ba5b76577b5c02a2ddcc09408d4675b1aa

C:\Users\Admin\AppData\Local\Temp\wYAm.exe

MD5 561d29a7d4381bd392f8aed9b4e7665c
SHA1 b67213c8f9aa85ce69ca16c1648a4f83abc6e0b9
SHA256 af43c3ae782713b501637efc368ab4c3bdb00acd1ed0bd09caaac98acb670614
SHA512 0241cdcda4fb4268740d744ac02772699393d8021b0ec8e26ea2e5ef1419df601b456cf6cd60223692fe565944295b51aad2614eaa1c9de72f688add1c1dc37e

C:\Users\Admin\AppData\Local\Temp\Cowy.exe

MD5 d5d242512c6ffe538af8f24fc3f6b67b
SHA1 fd0d4756ab838b51ac6b7ff958a118171a6e27d2
SHA256 f80c96bfce24fef4294ffe28767f6a82644c9ffe16a0813f311d2926a42e3f62
SHA512 c62453cb3be1a14a750ef390e99a1c61bd859fd293c142b53e18bffbdf36436f80fefb15be0ee5e72a8e8c24c505da6bf2b5dd753c13b66f49e67b7584f2885a

C:\Users\Admin\AppData\Local\Temp\owsA.exe

MD5 1e12856d063d6b42f236e65f0af930e1
SHA1 abf1cee0536b720b7e56e33fd8e75f46397c2aa6
SHA256 e51e16e34fb8f4f2ecaa59ba863639db2c4c140c31e7ad5198c830a335846e09
SHA512 ba7580902e23606650dfc405b618a11c1f7defe1d86bdc1e58dc4bac694511fae7205592001228d48828c71eb2b017716dd5c1cf7f409c25681bcc448ebdaa3c

C:\Users\Admin\AppData\Local\Temp\sIMM.exe

MD5 25019b066583c7992dd44aef72836683
SHA1 63ca355580344eb5363a44b31424bb76de5a801f
SHA256 7f4f295a2b55fefc96f9256b7eba68f955aa52b8117f76b96110a31839aa9130
SHA512 d7a9ed016f26e9682d7d14374feaa701d8324bd4a7e2aa4d56f511b237ec21176a49832f4ca2bb2aa45b4f4b7bbd6a5a634bf388d72f21b4254ca48ff828fb0a

C:\Users\Admin\AppData\Local\Temp\YgQi.exe

MD5 8186e262c15330fb07ef4d9290d2082d
SHA1 11a8d8502467fe61af2dfaa958bec57e0c261616
SHA256 c70f8096fe05d468d2d6721dd932b05378efd8eaec04286a19c72e54c7a1931e
SHA512 818da4e8daac8088ad2bdeeb2fb64a8ec66fa9dab9d14f5ef8a94f366b621f1b3384d19b86acdd45276d9f0489db076945118364ee2d9a4efd55adf3e0fd2516

C:\Users\Admin\AppData\Local\Temp\mAks.exe

MD5 22e352a1a3bc329e1d643166a5f11d07
SHA1 3a6fd9edce828b6deb216fd530ad3a8f3d3afad8
SHA256 541953bef5559e4b99bac0edda5a17ae9057239444f33c4496c6fcd4c36f9abe
SHA512 b47db510cde9b3103f19d43caf7a91f71f5d2d3393e27e7a6f0060bca03c33f84719cd20dadf463de6267e947fd5de574e24c5e2cdc0cda32353681aa0c5606d

C:\Users\Admin\AppData\Local\Temp\qMUm.exe

MD5 553a34ee953b1356bc7b416dff39fbc2
SHA1 8d6fa55409ab1ab1de4e6d4e6f98710246354795
SHA256 28a6039bced4c82d9f671cd89324e3affcf99fe16fc662e711d66a149dd91370
SHA512 9ebc6d4e002e3f4279ce2f25c41101da56fb48122157cad0f8c682a37e039741aac547626fc1ba70f425b19654c9a7e32ab3a0881f5e4979e8380fcbff00ba9b

C:\Users\Admin\AppData\Local\Temp\aEsM.exe

MD5 b300f95f9e2ff9d94f3eba5ebb991d46
SHA1 cf348b448aadedd658fdf8eaa0e89fb6910ba086
SHA256 dea447c3d99155df921fb7e2b985bd846cf8dcad0a6a4ccacaec957fa9cd0fe0
SHA512 0bf9fd1daac801289fd9c3a15de4bf870158d6181d86b464b6bf8dc3da016c195b6a26d62cb76a70cfbe03ded155de57497d1ca93094b95ce63167df78838dd8

C:\Users\Admin\AppData\Local\Temp\IIsg.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\OsII.exe

MD5 f6f0173f9d278f8c0424993e8f8db975
SHA1 708a83118df53ff411eeb39231dc62c78962bdfe
SHA256 6441c8ed217386796b7c646322a6c4a9a277386d1d25406c097caa253453240e
SHA512 37c684c07343e248357ae7d62bb9b344a2b27357ef383999825b7a0a1b0a7c8b6246054cf0d576350b62c310dbeced83dd52680e01fc3b6e11ff38ba40aab679

C:\Users\Admin\AppData\Local\Temp\AUEK.exe

MD5 2bdad8fe562303a42945babd021ed64d
SHA1 116a4adf0bba195f3d930aebe1f12fa73aa65f60
SHA256 7d811e5980bd4c6900dcbf1f5f21d65bbcdc102fd6b69e74ba0ee4a18417bbad
SHA512 5c0daa96b611d978d38b9d19ff688e3d7379f28e4ede0b7f9e790e35a078a92ad8ae53d54a1e02ab0f8ab9b2bb664a05297d016abbafb00931159dd15c3eea5a

C:\Users\Admin\AppData\Local\Temp\WIME.exe

MD5 348b0d165f72a2ccf321aaeaede11b4f
SHA1 020c80e1c5e94c0d472c83c73ce10ce0799252bb
SHA256 105ab79990d391e862be59bedf8abf3944db7c4006a4e7b1340bf26ff60c2d1c
SHA512 9049a17cced95c3386ce77c7d02a4a061c3b34b28147593f8b829d51d35c0de2dbab7084b19679afb87d56c7267fb5f6ef1844bb41b51a502241d2fdb744c8f7

C:\Users\Admin\AppData\Local\Temp\GEEO.exe

MD5 589be36fff1904878c479e9e9bbd0568
SHA1 7d96859ef1b9dfe205ea03089f0be39773fcd49f
SHA256 797037d0d8ded9964ce5dcd047945ed1d05ffc2eae1bdb49935c5705a3530c1a
SHA512 f610afae35096214ba6939e70f06e4db750aa772dffbdc45d0e9671288d74597e4c605f7ca4edc5c6814ff29cdbdba7a8ba0e40c06cbc4d40e2a540b46199edf

C:\Users\Admin\AppData\Local\Temp\qsYk.exe

MD5 e03dbc3875e457dc4b0cefa8a9cb4c01
SHA1 4fe29c83a9612dd81867afcd713a4136c6dcbc74
SHA256 6ed0d15f78f4d5d4752f84f290b81fd7e64d86385ae7389c6ba8e0a203460516
SHA512 c9abc049cf5a7ffa6ea1a8d72aab9949edff0e8e4b0a0c82ce8b3b3ce0bd8b8206f3ef14b50695601bc11b6b59c4691453a0051f0edf2c01ad11a8f9335a6f84

C:\Users\Admin\AppData\Local\Temp\egQU.exe

MD5 df07998b80ba5bddd566a80062cb0406
SHA1 c400eb6ef6be630d9c96d20e5cfee36df3a92620
SHA256 f5cbb6d9aab3b108ad94406fbf8e7de400d943c69008e30cffe7fe09e19f248e
SHA512 d44bc6bcaab48199fa40c7a664126b261a239d8bf4e11de80d407f73f14602f845807784d7164fe8bc758a0c99a1352c4d357e338dc280817aa097f4b89a8740

C:\Users\Admin\AppData\Local\Temp\YAIM.exe

MD5 c39198becf44114472a0d4d0d0f8b16a
SHA1 a0086e347e7335d0d632160ea9d2719fd6372f8b
SHA256 7e2fa2c92ddac837e54820e45589411fce77808cb29fd2a4259c69123b65d249
SHA512 bfb7ecf3eaa564401cdc3512c74edf4a3a4e1caecffee7a95703726cc87687829c45cd75fd56ce74e9d7f398fa4b8a7a58b02907249bfce69db036e4788f6680

C:\Users\Admin\AppData\Local\Temp\YgUm.exe

MD5 9695b34c6643a64f4f1737b5eac6a6c8
SHA1 b85b4fb89ac5081d99ebb38dddb6fbe70b137db9
SHA256 1b75561c5aad9f64df45ab8ed19d8d82f008c5aacab24be24374a6210da269fb
SHA512 cd726b9ada5e274fba50ed2d8d279eab8a60ab85daf60a191a2a4209b8a0a5cc28fedc8f9f0b40615ee2860272ac707b76fff9d763736d873632be1aed120ffa

C:\Users\Admin\AppData\Local\Temp\mcgY.exe

MD5 f3bb383ab45b48d0e5423a2168ad544f
SHA1 a4c63d1f41cf61882c1aa32fcf68a6645b03b15e
SHA256 8b632e505a4ffdde7da8cf366298bfc9608aa9a1c659ecae049b920c1056d8f7
SHA512 253466b9ccb2fcd2146c8c722a52ae60ce383dc766dc8f0d810d22b9ecb92be3b8812611bb996e271214c58542c457487cf1f5e536c64e4fd460f38db8060849

C:\Users\Admin\AppData\Local\Temp\aYgo.exe

MD5 1d83478095c0f8363f477784d4dc03ef
SHA1 32e1d537db708e817c082d2bcd1a582038440121
SHA256 37595ba50c9d7ca1276df1126e81170b9af77b2d6fd6a78e27d7f85a1d25a338
SHA512 ae8acfd9a571725dcdf812818e2000f1b764566f6026e2e211462d6689e8b7496c557f70d2d950f825b24f8f1e5b73a40a839f82bf26f3980920a5173a3745a0

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf

MD5 cb2186de9a20b68e1ab84735d9a8ef73
SHA1 4e52a8bebdf0713c16ac2f21337835533fbb59b0
SHA256 137073fa3a820396c416c6645dfdd7644d4ee4c064005a5d55d36efc4d6c816d
SHA512 24ad1594c448e4fe5fc775725095c4fad3265c922978a8832327a29e322275f27e336354f5fc7998592eb0ea9c6ba3e9f349738f1b25b5316a85c200fbd5e37f

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 ebfcd97c1bca03ff174172717b4070d7
SHA1 08cdfb32fcc73235f8b9595171370935cab19146
SHA256 33112093bc11b8464c2c8ea22c1204518c24a9b54f1ae081ceb1289226d9b99f
SHA512 ff00034e3ae41188231c5b2b115a9d09635385b6e4ae1faeabea912020cac004779249039cee31ca9cf1c06e0a7f58437d06f444e5ea1bd6ee71b36edbd44767

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 395d7116ff0a280c18443bf9efe89b31
SHA1 8af7b1a715c6d287cc67fb4bfc95c32e85d194b5
SHA256 23fe64bc41b771d9bd9227b4c9cba5e4b1505867f68401517be0bd85a2e5695a
SHA512 ca867851183d83e848bb3e9787878339ba9bb2c88574c22fc210a4d00892dc7f9f2b960e604cf50a44703cc7f74842e4580bf164f629379e5bfae598804ffeb2

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 673df1e460c72da04a63105c0eafd126
SHA1 142b0b44f0584f847d3e5f76409fa8d6dc29a32f
SHA256 ff43ef42f7d8ba20d5b2f85724a3e69d923b56fb219eb77a0ae321e0ba5cdc3e
SHA512 8ba2c917908b1848ff49780359d84795bf5dd14f986f8f13cf55019fb1a55b2065c7a63328ee6e9961a40d24b5bd84b5ab46b1c6b3dd2e59dda68ffec323f36f

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 b2c511c3fd2804b4f707043a559c7050
SHA1 b2ea5f180e7162cf71c026526cb49e850ca745dc
SHA256 fda3fefa17f9f667fff08e7f691da217409375c766e2997b3cce6d74b94243f3
SHA512 30d540e7c717d474bf3b95a2842b44b197bbb27ab09514d404052027b61897f953e08553d18d2c27cf92990e27a1a4309c5f17030fd963e525a13ece176cd84a

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 64435a039dd860af88b5fec9f777dfe4
SHA1 671301174d3c7bf13e658cbe81caf9a8da433483
SHA256 cc2ed501f69bfb9ea58cfa4b746e804137d8b89726197063216dbd6f5246dbf7
SHA512 6f057dcf52d813fbc422510b26e7101117dd3f9e0fcc60905716b64bb8e368418e6b9a2685dc8e04f26bb622415b51567b49da4385709de3e56a61002240457c

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 ad0a84a24d629346241c8262d7e16d52
SHA1 1f626235bae3fa05ca7c85e7212d7de7ecd25d21
SHA256 2b552f0177fb0dcbe34b69ec10032952ef17bd02329be606fea3e36f0100d1f9
SHA512 a1d963a89da8eb81e5eff496232a5e508a644ab1d38a87a66d646d69a8ed95a1efa61dedc65d8e8833484b688b4e096a4bbf5447318e32ebc07adb42012db5e6

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 0e8e1e97f3cd91582983d7379dc60cd4
SHA1 b4aa0b38c590305a9ab62876668f5bc0cba51079
SHA256 1ad6d8d618a7e3b7cba2301d661bb4800af32438a0e227cba6750b5f6ec54804
SHA512 b141c84adccc3e22a2a978907dc79f8e1eac41af4183f27399efdae582e2be094b10cde3ab2944e951da3c316a879c10354015b68ca32b5aa7c9f034b847184a

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 3380eb1defd241ee6bb8cff5c5832d25
SHA1 279f1d93b27d6e5a5e7cfcff38df1ec1a76fb064
SHA256 c3858ad5f0f7003cf09e71790f2d584e377ad9ec5b9bc592afb9a43637aac906
SHA512 6f74c4abba34e00bce484f04ef22c27a037b4ed70680655c01d043d28b1f963339da90365213bc7604ac73515f9fb1a45baa2efea5f4687ae10d63a6001c7695

C:\Users\Admin\NaAwwUEE\ggkkIEYQ.inf

MD5 d74b4f3787a1f9382ebf5fdf9bb17880
SHA1 430963398c558fc5e669edf0b83b67713c21271c
SHA256 a5af2fdf8d0470146cd36259c037f8699590eb813cd1875d62a1208dc7d52a7a
SHA512 d2bf0c0d32a4f9b4f961153f30a7bb007d000438937f2fd8c6fcd5409979bc6d6372d96c2cd297ccdcb145173a84790cfb0e7a12a7fa06e5f7ab3df28f8243a9

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 40cdea3ea1e9569ffdba2f7f16185308
SHA1 cffafb58d26d700e72d1be702835e6d486a8d05c
SHA256 7a8bebf87364be68f0797e2bd5ca0c0e07aae875ebcfd521f69f522e4c2120d8
SHA512 8df0932ac63318cdd2ba94f5fb5a4ac442d2acd2d65678e4656fe4994577e20851fcb58db657e43956ed1d8f042f97b5c66ad2df129fd7bab91e1cd82abc0a30

C:\ProgramData\VQMsgMUg\KcQMIAgE.inf

MD5 696d499c6516808f5e92a574c75ac70b
SHA1 44269217255cb06bd4e8d753af017b261e04450d
SHA256 f8b179b269fb18b96039410605673a7c6fbffa3090c3d96abf8c0eca73035b06
SHA512 5be04c9ea1ace2eadb6010a351617a8237f0dd9e699f099523d8fe548c8e4a3454a6716cc527b75136bfb8f4303266006bd80e553565132b1e6ff1823b31a9fa

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:35

Reported

2025-05-29 10:37

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (90) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\sussEYcg\wWwsUwcg.exe N/A
N/A N/A C:\ProgramData\GWMUswwQ\dKggoIYI.exe N/A
N/A N/A C:\Users\Admin\sussEYcg\wWwsUwcg.exe N/A
N/A N/A C:\ProgramData\GWMUswwQ\dKggoIYI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\zkkswMkg.exe = "C:\\Users\\Admin\\yWYsIkgI\\zkkswMkg.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gWMMgUYM.exe = "C:\\ProgramData\\lKoQsgQU\\gWMMgUYM.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWwsUwcg.exe = "C:\\Users\\Admin\\sussEYcg\\wWwsUwcg.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKggoIYI.exe = "C:\\ProgramData\\GWMUswwQ\\dKggoIYI.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWwsUwcg.exe = "C:\\Users\\Admin\\sussEYcg\\wWwsUwcg.exe" C:\Users\Admin\sussEYcg\wWwsUwcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKggoIYI.exe = "C:\\ProgramData\\GWMUswwQ\\dKggoIYI.exe" C:\ProgramData\GWMUswwQ\dKggoIYI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Run\wWwsUwcg.exe = "C:\\Users\\Admin\\sussEYcg\\wWwsUwcg.exe" C:\Users\Admin\sussEYcg\wWwsUwcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dKggoIYI.exe = "C:\\ProgramData\\GWMUswwQ\\dKggoIYI.exe" C:\ProgramData\GWMUswwQ\dKggoIYI.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\sussEYcg\wWwsUwcg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Users\Admin\sussEYcg\wWwsUwcg.exe
PID 1884 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Users\Admin\sussEYcg\wWwsUwcg.exe
PID 1884 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Users\Admin\sussEYcg\wWwsUwcg.exe
PID 1884 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\ProgramData\GWMUswwQ\dKggoIYI.exe
PID 1884 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\ProgramData\GWMUswwQ\dKggoIYI.exe
PID 1884 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\ProgramData\GWMUswwQ\dKggoIYI.exe
PID 1884 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1884 wrote to memory of 6016 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 6016 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 6016 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 1916 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 1916 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 2300 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\sussEYcg\wWwsUwcg.exe
PID 2300 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\sussEYcg\wWwsUwcg.exe
PID 2300 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\sussEYcg\wWwsUwcg.exe
PID 2308 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\ProgramData\GWMUswwQ\dKggoIYI.exe
PID 2308 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\ProgramData\GWMUswwQ\dKggoIYI.exe
PID 2308 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\ProgramData\GWMUswwQ\dKggoIYI.exe
PID 6016 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 6016 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 6016 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5012 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 4136 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 4136 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe
PID 5012 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5012 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5012 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5012 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5012 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5012 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5012 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5012 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5012 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5012 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3312 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3312 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4644 wrote to memory of 5620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 5620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 5620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4644 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4644 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4644 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4644 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4644 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4644 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe"

C:\Users\Admin\sussEYcg\wWwsUwcg.exe

"C:\Users\Admin\sussEYcg\wWwsUwcg.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\sussEYcg\wWwsUwcg.exe

C:\ProgramData\GWMUswwQ\dKggoIYI.exe

"C:\ProgramData\GWMUswwQ\dKggoIYI.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\GWMUswwQ\dKggoIYI.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naIYMIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Users\Admin\sussEYcg\wWwsUwcg.exe

C:\Users\Admin\sussEYcg\wWwsUwcg.exe

C:\ProgramData\GWMUswwQ\dKggoIYI.exe

C:\ProgramData\GWMUswwQ\dKggoIYI.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCIgUEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agYAEIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKEgkwUc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAMooEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIQAQAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwckUcwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYckYcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqUcogoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOQIkMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQMAwMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMEYMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoYEcUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faMQQEYM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyMIoMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LysckAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USYIEMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiQYUwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwEUEIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BakEcckM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSsMMwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMcsgAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOMEYcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyEsYwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgAkQwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKAcsYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqkYQgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEIswMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIEYcUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruAUsIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcMQUoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUkIUgUU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOAckcIk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESkQEokY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAEYsgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuAwAwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jskkkQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqQgUkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWUgMYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOcQwsQo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQAQkQQA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGQQMkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKMAooQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsIUEIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyYwsUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymckQcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYUoEAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISIAssUI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUkAAkks.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgUscEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAMUgQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIUsEggU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYcYAoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiEEcMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEkswIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOswYYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgUwUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsUcIoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOgUoIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOAogEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SskksMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAQgkIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awkkEEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEccwkgE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMcYQsEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jScEoUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQUgogoE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOkYAAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcoYMcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGQsIkQE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PogUsMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYMAUUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DawUAcok.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgQkEIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aowgcgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCQEkMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okQkAMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmoIcgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqIkAkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCcEYwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmwkIEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tukgogkw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaEoQMYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUUsgMME.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSgcAkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jekwMwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LScYEsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCkUIYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bukAcgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmcQIAoY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcwkQAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqgIwYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saoMMAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQsgkcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAgEcEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGQowAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeIMgMoU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euwsggYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqkEoosk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYAgwIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUcgcYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCEkksck.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TogMQQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcsEIMIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYYoQMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yeoUAkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkIAYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swMkYgss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kagYUYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKAEYIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQIYIowU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BooQQcQY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGMsUooc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEkwUscw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEQUIgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcMoMsgw.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIgsoYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\yWYsIkgI\zkkswMkg.exe

"C:\Users\Admin\yWYsIkgI\zkkswMkg.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\yWYsIkgI\zkkswMkg.exe

C:\ProgramData\lKoQsgQU\gWMMgUYM.exe

"C:\ProgramData\lKoQsgQU\gWMMgUYM.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\lKoQsgQU\gWMMgUYM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1500 -ip 1500

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCgEYUss.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 3048

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\yWYsIkgI\zkkswMkg.exe

C:\Users\Admin\yWYsIkgI\zkkswMkg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 236

C:\ProgramData\lKoQsgQU\gWMMgUYM.exe

C:\ProgramData\lKoQsgQU\gWMMgUYM.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 128 -ip 128

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 128 -s 200

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgwscUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSssgosM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcMoEoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEokYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMEssEso.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEccoIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQEQUggU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuEUkUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsccYEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMkMsoYM.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAcUcMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOoYcYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsAcYwoU.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWUkoIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEwQEQco.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkUwIIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIIMkMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 142.250.102.100:80 google.com tcp
NL 142.250.102.100:80 google.com tcp
BO 200.87.164.69:9999 tcp
NL 142.250.102.100:80 google.com tcp
BO 200.87.164.69:9999 tcp
NL 142.250.102.100:80 google.com tcp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1884-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\sussEYcg\wWwsUwcg.exe

MD5 5aced52e60422f0a0b1f20a90c196eee
SHA1 eb4f77d78ba93190d774a215c1423ec98d132903
SHA256 4c60f546e9992df072295d05dce10ac3de2c98128360136c1fc22ee1604e82d5
SHA512 058c30fdd3ea34407c4a86bb6bfdec5e9ef7975bf5ea5933426eb16001812be3e3106321d7e01c290e802d26b8adf7c127ed2e37d297c3f4e1da56b73bf05f97

memory/1928-5-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\GWMUswwQ\dKggoIYI.exe

MD5 d2a9a678819019c7bf9b3083e059044b
SHA1 24e12349c35779bb88a0500f5c74d12d6c579658
SHA256 def091fbbfcfc34ada9f99c778db03f77f0e70e1f1bbdab2e220bbc1ee279fcd
SHA512 aa21ef61c53bcf02e754cafefce551edf11c164d0ec4263558912b51d01122fd3a4c83b4ee50bb549758bb8538cd6f2b9451cbed0cf195ed733869406ba3e687

memory/1708-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1884-19-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5000-21-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4828-23-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\naIYMIsY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\sussEYcg\wWwsUwcg.inf

MD5 5369d9147be31024c4777ae4722f8576
SHA1 7dbd39d379727762a4e839b2a60c6c94bece4b8b
SHA256 fc8a0bee5ba29a391f9e3f7508839ce0f9a78cc6eecdd26568b0363f20572d07
SHA512 8910fc9c0144a63ab0b2b50eed9ec97bf52cd775bd804c4d24c40b7c2df4ea6dc8105123e31c79cdac9f9abd3f6082fd64d75a1ec9f49213194e995dd807fdde

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\sussEYcg\wWwsUwcg.inf

MD5 44308ec74e58ad0318ff4bdcf8e8bbd7
SHA1 d66dc5abf25928a09ec8dd48815571bf28db17bd
SHA256 8c92b5be28a0d55d10922adb4a8a3551b69359f796338e5c6f2d18f5acc3e455
SHA512 b143929505d20cb53298d7d8092ac0b823636141ea921329b4bc5e8bc4cd2d3446537d7855348599ceaa85f5b070f575747282863f084be95b7582a2056295a6

C:\Users\Admin\AppData\Local\Temp\2025-05-29_f8bf3340ea587acc2f96c24372f29edf_elex_virlock

MD5 00974aab6b9832933e8ac609e50e5dce
SHA1 6fa57587c15d3de9c9ace6da93ab80830bd87771
SHA256 7e9997f40d13b32c724ca4ecef283f377ce9965d31534167994e654d6e6623b6
SHA512 c104286c58629920fa51b5f764c409b87ce9cbff3ea33d634cfa5d7804294a345c5e4150780f84d85c8a7a0aea7d6089eb4f31494096a4c5e9982364f9ad2e47

memory/5012-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4644-59-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2092-70-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3160-81-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\sussEYcg\wWwsUwcg.inf

MD5 bc012153915aa73baae10cc4dd703292
SHA1 b9e801b3be5b13e3ddeb7c3a02614983988d3261
SHA256 6aef5b081773aebf2d36e04920396407a444f1e39143e5ac695db258864b0e21
SHA512 4868ab0d0a541c160e1f8c0640e75ad79bb84b899d3230d26f680cfaf1d96b5a9dbacf08551aff0727ef2cb4697a7c38578ed3bbdcf243e3f6651b303c2e204e

memory/3024-98-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5796-111-0x0000000000400000-0x0000000000430000-memory.dmp

memory/6052-122-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5528-133-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\sussEYcg\wWwsUwcg.inf

MD5 593a131a2cb9e716d8883e10821393b8
SHA1 5af84f68831efcffb44a512da5a8e7cd0ddd0c40
SHA256 6919cdc65034eb00b2f6f43fd04d921ad09b90c940681dc63c26c8c179bfad83
SHA512 b2fe3e3feb52091be8ded18f90b1d8ed05f9f930d2db95252d4ed1435aed05745d040ac6d6320d6ae6c2e46ccb754a3de766e8bb1f9001734fcdf2b9363006cc

memory/4572-150-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5076-163-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2388-174-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4812-185-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2392-186-0x0000000000400000-0x0000000000430000-memory.dmp

C:\ProgramData\GWMUswwQ\dKggoIYI.inf

MD5 38fc90b3613969475b51f658cb934e98
SHA1 47f40563a73e59afd754fada07e0d696ebf3e4c6
SHA256 8a96e36d1a3f20fe627faedf8197bfc61aeed2414478b37933899f47a6c3df90
SHA512 5a179c6522495ba10a2e36f90300d9a59aa2fe753612a26cc6df43c767d6cc3189951fe358845570d036b29fa9ac9797fc5073b02474581ba8e0976eef9a97bf

memory/2392-203-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3260-214-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5444-222-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1776-230-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5680-241-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4140-250-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3728-258-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2548-268-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4580-278-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3480-286-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3564-294-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3576-305-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5988-314-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1908-322-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4836-323-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4836-331-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-340-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4624-343-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-352-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3052-360-0x0000000000400000-0x0000000000430000-memory.dmp

memory/6140-370-0x0000000000400000-0x0000000000430000-memory.dmp

memory/240-380-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5732-388-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5560-396-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2084-407-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2344-416-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4376-424-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3280-432-0x0000000000400000-0x0000000000430000-memory.dmp

memory/768-443-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3052-452-0x0000000000400000-0x0000000000430000-memory.dmp

memory/6140-453-0x0000000000400000-0x0000000000430000-memory.dmp

memory/6140-461-0x0000000000400000-0x0000000000430000-memory.dmp

memory/668-471-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2988-481-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5940-489-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5512-490-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5512-498-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3012-509-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4376-518-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5564-526-0x0000000000400000-0x0000000000430000-memory.dmp

memory/768-534-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2444-546-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1976-554-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5324-562-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5160-573-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5940-582-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4296-590-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2088-598-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4448-609-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4700-618-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3052-619-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3052-627-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1564-637-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3032-647-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5732-655-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3140-663-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4300-672-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5248-683-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2096-684-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2360-692-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2096-693-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2360-701-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1008-703-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1008-714-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3040-722-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2380-730-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2272-740-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4044-750-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1172-758-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2288-766-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5384-775-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1928-774-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4436-779-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5384-789-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1708-785-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3896-797-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KQoA.exe

MD5 c16ca63ccd52cc3ab658035b3d4635a0
SHA1 021978033adeea66af2d5cc721240a1ab47bffbb
SHA256 2844ac3a0cedf18316d8eb62b7d7a416991590fcb6b00f149513f29beed33752
SHA512 044f348303bac376f6308a4b9a4d441bc958b5836d3135ed5a7963c1f0018f5b112a311a5c3aa7736bb538a349b928c307911c0df0d3dec7c3493c545ea82b09

memory/2728-822-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mosc.exe

MD5 6c56ba9528318fc434affc0ed528c05c
SHA1 c61969687fe5d51e5399c4a3edc305c26948e9c4
SHA256 e1e0680c922c7e12ffb86b41d10200dc279e836d3a24254a4a565c01db39929e
SHA512 3035e9ca31983c0eed310fbe972d51770bf763ed4e1efc28112ea1598191a6e9a4594c2ab1ecba8d89479515fb1529715c5cc42c77bd47053e58765d6dd0690b

C:\Users\Admin\AppData\Local\Temp\YokY.exe

MD5 5de0c22448548f03e03afb8615161048
SHA1 b8d5562bcc59480cdaeeeeffc818ad66b65eb184
SHA256 902d070a22f0605795030e39f25a5276709cff2a1c7804dce9dc2c564c4415a1
SHA512 c987d548d3556c14d61628eadca906905d68cdf2c77b8aaf2d9e69da2ef280f12fd5db608774bfa55463797552fae89f48f668c5f64ac3d6029f8b832deb5b8a

C:\Users\Admin\AppData\Local\Temp\csAy.ico

MD5 9af98ac11e0ef05c4c1b9f50e0764888
SHA1 0b15f3f188a4d2e6daec528802f291805fad3f58
SHA256 c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA512 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

C:\Users\Admin\AppData\Local\Temp\qIsW.exe

MD5 2379ebac10cf64caea84f92cef82450c
SHA1 88d5603a664b7d293667edd95d211152f3f3e578
SHA256 dead31aa3571d7a297f7d8bcf5224a4faddcb7db3815ff7feee9ff1208a49de0
SHA512 264140540e8df4f6cf93d55c313e198b4fd0c71f5d11380a11ce3e290e23a94d137b950b189dcaedceffd3a1cbd63b69a697e7d938e1223863841e260013313d

C:\Users\Admin\AppData\Local\Temp\wAsq.exe

MD5 04645cd1e89b84a924357fc89616d9c7
SHA1 397030773605cafc524dfc135f0726bdf02ca33e
SHA256 460a344b51a6f4765606887fd0046c964e216172e1fbe36ef37a381415be7321
SHA512 0701d5f9ef68383675487546d2b2507f9823d3701b99ff847e0ac4c33358137bdaaa9d4453cf559d756cdfd8cbe3e5595b841f73017cbe08e7005d651de8a9fe

C:\Users\Admin\AppData\Local\Temp\mEsu.exe

MD5 0c482e92026c381ea0b1af83b258d1af
SHA1 e2f44706ece66d55450447ab08e2d1bc0bf4d18f
SHA256 de2196133efb475413f634bbe143d36f99c5be333be482d80ebfefcffe42d6f7
SHA512 474667ce2ee11355fed69930baf2f3879c4ff152d6980ebc4dbf649fb49d7b4a601776e0cd1f67bfc256d51f4c51194f7943a9558a91317274065cc6ff0c696e

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 5e6d3c517879e852055cd6165184bf9f
SHA1 1c5288780125b423e4a3223622102bb60d0e5b86
SHA256 805c245d98a1e9eab86f07b80e8be647567512d628be89129475e7c2ed25d0f5
SHA512 2b5d71e1db1f98275896148d6321ed301d312cce6a025614794e7e23b2f75825c6afd0bc3cab302d176440e2e7594e8b83b2faa8666c7df451a2638ea456aa94

C:\Users\Admin\AppData\Local\Temp\Mcsm.exe

MD5 569f5eeb2dfa61c44e7231863347d703
SHA1 48ef1001a819c687851f3bfc55c8ce158664f63f
SHA256 5b51a5844e4026f1ed72e9c9652fd6d48d0cb18ae19b5b85d5f893ac284e4358
SHA512 cf712322d48fe8d8b13319bf122ac33d81cf757fc11f6e16a9ed6259a5c858c38f8327b17194be66f255d8a34386a7a36d5368adcfc15995e51ef2c2a264bf0e

C:\Users\Admin\AppData\Local\Temp\GMQq.exe

MD5 5be15940d4f1fa48ab1263a48dc649bb
SHA1 9707d76ee7047bf2ea4ed6dc4aba009162c0e8fa
SHA256 31c5be420db61fef3a398edc96d0290cf5cdc106261c3551662c8e8f9d16b371
SHA512 500945a43662a7e3be22aae8bdf0dc6e1c210b164fbbc096410e35e42918a4b10cf8697ca00941737a835fad1f8b5cbf5c19ceeefa358bc60d5c3cabfbbb09da

C:\Users\Admin\AppData\Local\Temp\WIAE.exe

MD5 a2d49bc8e88ded6d22eef7f4a26306fa
SHA1 8194e3ff5796da5e61aa6e3d8cd621568d21a055
SHA256 307539bd267210ecdac11d3d3fa92fbf1a5686f02540aed0dadcf728d5eb9f22
SHA512 c1e9ca9840e3de0bffa82d664a97d369c6f352c87f092b12686d0f175f104385a32c969ca95a76f29fc53f3532edae6c1eb0603f787bc8b0d6eb8e1857301d2e

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 d77906482e5bb46d2e6288f257e7fd3d
SHA1 feda8e117e200f7804f8706bfd037f7fa91867df
SHA256 19287507d9e829bbe81b528cb557f2d6e031c6fdd5129277a02bd041e8bdfcc1
SHA512 608002f17ee8805588d71b60c69fb7ee8b610ead2140c013183740e4fdd2a26462ac1265f02f8af3fe40cd631bd01cc70e0b6add74bc9c4318dd2db2ccbc2aeb

C:\Users\Admin\AppData\Local\Temp\IwUW.exe

MD5 bc8ce0c9801e4b5221877ee6ce7d94e4
SHA1 4f93d42813a2b9f2594ed7d9cef535b41e0b0ba8
SHA256 c8952f633f527817d1276a5a42407cae3396a54a2f65ea386e0fe725d202c765
SHA512 d7f56ed6b392c7cdb7757b7b8dd05f7e2ebbbba71f959b1454254b8f0ca191635fcb45ae1f1bd431d826f50bc792c2c7d6a4b78a92710f0aa5aaba0bcbe84ce8

C:\Users\Admin\AppData\Local\Temp\isAU.exe

MD5 1e509a6e730508d482fcdb18b85d56fc
SHA1 f9845fb8db796bc6affb96d4754f9cc0f56e1b33
SHA256 a153581cc531879d009dbe2c2e38da5fb3150269c074d1c59cb66de749865ec0
SHA512 0cbf6ac083c6aef05ca7b0e712ef9f74a2bf7038cbf58d3a71616a26f453f41c6d14881d6e015153086c2f70b45df32259e125a7f6b682153a6eeb57e0c1738f

C:\Users\Admin\AppData\Local\Temp\iIcW.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\AEQY.exe

MD5 7ec059ddfa87d1f4f6ac2007154a2d61
SHA1 a802ddce9f351fed0a1fe30e0a5c5afc43899db7
SHA256 57ffd64b836e88421b501cfa70a294550843e740f1dfdbd53aba9d93692d576d
SHA512 c98a0b605ac0836ef355101af28e3a6d71e8d23a249ab7b1c58ce48e0bccaf64dc86983667ed826b2e4d8be094adad8eb732434fb60c6dca5d6384cc5f1a82d3

C:\ProgramData\Package Cache\{5625bb48-295c-4113-bc92-d6a69b19b04c}\windowsdesktop-runtime-8.0.15-win-x64.exe

MD5 2d16848adcd87481d0cf8d58cde90fef
SHA1 e732a7d858e3f6a89d7b2fb345c792d7cc2fca01
SHA256 ea81df4c5766ef37f370bd84a161d018cb973ec10d5efefaca82d4cdeda0ac86
SHA512 1e2d66553882b93df4f00d09409fb7bf720f6aabc48671b8d3b5c0cb2e17b49a68f7f5a90cfa21d48d556d373a97ef471b7d51785bdf59b57dbaaa84e1edad48

C:\Users\Admin\AppData\Local\Temp\cQka.exe

MD5 3fd4cc3726e2f4fcfd1f8a733b4afcf9
SHA1 82aa348d2aa36c7d08d9ec805b2811cea7348482
SHA256 80dbd890495af4b5b3195c41068eae0b9d93d96634a94b011fa12f929c636cfc
SHA512 09a366bc2d7de12fb1b1027a27bdb99a712b5045b8a0de6c44b88ad335478f315c2b708b6796a32a4f07313bf3ee444705a44eb238e6b1c70509c9991dcd3437

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 39e9cd3dc6eb368d031cf51de3a5bbd7
SHA1 3aac936e1af163a2fcc9931deb7608d3cb9596ae
SHA256 da502cbb3ca619b10d846970b358a41c73238cc0d61c9fc831d783a9cb0fa726
SHA512 40a99492940086f7ceb2f6f35f1abf4288c0eddfb00b7acb06899dcbf9f4945f2421ee00e9c830a0bd0d1e7eb5965e27fe0ff8e01ca712f1c3293bffa1d6dab1

C:\Users\Admin\AppData\Local\Temp\Oogo.exe

MD5 8a6eaf8e79fff2e340ea612fa4e165c4
SHA1 c7b9571da04fc03512fdae5cda135cfe9124b2cc
SHA256 707f42d97276ea033d8287109affc2ea2dba244a0e5be48e40871e453a6fbfea
SHA512 a3285f08d8fadb5aa79f39c0b187f7ce07897d7aa6248cf19ef0189fa2f88df021ab9b32885d95a4823a38230778a5b887ca6fe3bca3cd5bf5585fb6d3930fec

C:\Users\Admin\AppData\Local\Temp\QUYq.exe

MD5 6342de7ca00cf853758ef3e78a86b69c
SHA1 b7062102b3154ab3e8fd43c9782750029c45c68b
SHA256 87caaf6a1a5a5226948f6595048e0a98e1469bca148b741902c12a0e85abffbb
SHA512 41d1b5e3cbf8b84fce010502ea87ed2175eabc2863a4bfa355e8ab7628b6d34db67d621542bc08b3033515f85bedc1a39babee8f3119ec61525b9c04da20d015

C:\Users\Admin\AppData\Local\Temp\yUAi.exe

MD5 591abe1fded416ec0d885af1968bb2ab
SHA1 aaad181c4db5569c2ea72f317023377b552cc4c2
SHA256 8e452ef334796c2aefe0a12f28aa13442d8ba2c58389e505d9953b47721d9651
SHA512 9c6e5ac83d7f04e65159f4143e5a0a0af44f8357bf66e88cf31896a9772490610de24a0f54d0845ed5100a8f95a307be424aab6a57358ec60f44f84e0d2a1e59

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 be222ec3fa5668cf79b6286032cdd14c
SHA1 4a06650287ed6c266ed94a249939eb7692b85250
SHA256 d3ddd1e41ae1568c05e40adc3b586e96c29e537a094003c3efca9545f2cd7c08
SHA512 2170996d4c0fe342b4106b6539564360fed2f4b67ba5f6eef3705f2ce5a2793a19a804236d6fa27147c1b4fbc4747173c85bd3b56bb0ef19789c8517cd1802ee

C:\Users\Admin\AppData\Local\Temp\aUca.exe

MD5 380a8df1a83970f33dd2c61a15472cea
SHA1 3c7a590feb432adcfbe151b3175a2685cb80ad6f
SHA256 4c0355d45e393c7f5a9a5de351339ebe26b1617b22e455026576e7d3afc53cbf
SHA512 ad33412cc166d71eee6f37a860c426662bb02c0354606cdde3513c7ac1e7046a013082333a921ba9036ca42358c89b1f725836160efc94f12d4b9d96fe720973

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe

MD5 3079e1940fa68e706a8e862b582bd968
SHA1 a26e2c150c30dc039dd8897f2c67f1396acbb42c
SHA256 4e9917877f5f57d0a85c45cf8092189573d7ca9d5bba304c4b5a98682e173697
SHA512 36765076b8de4f3bf138d65c61d48d8b67bb485757bb356d7f1d39bd44a4834f7d652527301b62573eafe98ec3c385aa880a8db784be0e6aae57d1d2b44ccf7d

C:\Users\Admin\AppData\Local\Temp\iwMW.exe

MD5 48f0f61f31f59eb4263049a03382c4b1
SHA1 7bf0f8a23d19c115d0e85c4cd6a77ccdd95cf392
SHA256 715f7d4661f10b10b2474cbf7ab93d23a1ddc77338d3c014124574e6a96a5507
SHA512 6eef8e5e41cc61a81b47ecba95bd5566a0dae545f58c72dc984e6edf24fa34075a8e1e945dcc7c5bf2aa1ac935538e128b055ad44d118d0b77d48d9348a4e620

C:\Users\Admin\AppData\Local\Temp\cQUO.exe

MD5 def6fe7b6051a77309b7595a23d0eb9b
SHA1 2992df7831fb4d168509f30d554fbbc58c9efcc0
SHA256 81373e30f12876fcd940cf595d2fa6017afb0b14b67fec83e74eaceb33e560e6
SHA512 e17d833846552916eee6845a153b40676e37e0e66504495bd0fadac087cc7156e87349cd7e852f164f717ba855f603d23bb6d9155958df76b13c5205f23281f1

C:\Users\Admin\AppData\Local\Temp\EUka.exe

MD5 d566d9ff6aebe32cee253b0150193dcb
SHA1 73d12bab4efcbd3b3d974470974771a3088e4c83
SHA256 a82d79d23501711b36b13a122f24d66f624f1d54c2376433c63aa5c8ac1f154a
SHA512 eaf90a3f6ec7be8788985abca453f93dc2cbf87a8ef4d0c7fe9ba1297563e03458e840c3c4528263a31f612fe736957498572db7327611edd1ddcd8656c98276

C:\Users\Admin\AppData\Local\Temp\EkMG.exe

MD5 92af5ab737d00d2c4083992ac61c61c8
SHA1 f452b8ec18c0ecaa87e7d2c2dc9107f94164636a
SHA256 2e4d57e095433978ac5dfb97a3adde80567d69cb4e45769a0e2b3e483409173d
SHA512 582d6332ecffebcf58563e50a909e034785df1e182b4cd2a2df5e92b49a46678759877cbdf8bad7020c1f4d9f3b1b3a937bf7a89b43d27dc4fa5e400953d7a7d

C:\Users\Admin\AppData\Local\Temp\EssK.exe

MD5 dfe8e9e06ac449be6893a0d71155ef86
SHA1 8423fcd85793ff77d6e8c00220ee097f4a58aee3
SHA256 a90099bd8c84ed2da6b6c5d5d37cebd0f5f72406f9e4bf6beebdc8d9600f3340
SHA512 687a3919df8ac2fcb6dbaa88d36fa25cc3864f283168001988333c8c00139a1a0a5f72aeeda797c8947b8d762f781e0843ca79d268e233ba7c0d2eb6c88cad3e

C:\Users\Admin\AppData\Local\Temp\mQIe.exe

MD5 9e8b52a5624ef92de4901ea390801402
SHA1 b0b20648c7caf5ec72497087dc76332f76acc5d2
SHA256 11e24e4d4128c39874d6fa34db9c35ae536ea9d4f12e394304845bc634f214e7
SHA512 ead6256cb00ea5694cedc1464a8ed971b58bed3fb25ed3a57575c7c3c911fedc9e42e64babfc902c86994c782ded963b5d34f1199882c21737e792c0f67b58f9

C:\Users\Admin\AppData\Local\Temp\aUEC.exe

MD5 79d276deae8f449167dea13daab22133
SHA1 4d457b0935fce4778f95f51d221570407036a923
SHA256 d7e952581d500e402fa0e0c4686d31b6352d2eb3cbbe5449ca5abcc8d768a37c
SHA512 2b9ecea67810dd2ab8a1d2269426759bd64af975e33ca4bc370ae3fd13059fe11a53644f3a6266e29ac2aa00660e4446b497d7d80b4fdcd04755b39ae92a961d

C:\Users\Admin\AppData\Local\Temp\ewEk.exe

MD5 a5b7bc743b6f191a469ae6f6715ffd1b
SHA1 cc53fb17bca5abd8306f6ec9890f4f13f85adacb
SHA256 986d70cd7b5f5a7ea2ba8b6bd065608e59c0ce187d9b0ac6d04fe7a52a130390
SHA512 7531962b607bfe758a165b33129088eccb16ea9cc18723337491a3820c52544ec1ac5ad9cab8ad996a24e4b5f7dfa045aea07ed47d90c249477690bbd7fccaad

C:\Users\Admin\AppData\Local\Temp\EYEo.exe

MD5 fb05a78b3a3ccba856fec577772893a5
SHA1 c70c28416770c7e95520ea2df49370ecac25930b
SHA256 01b0bd3dc3eed159441d44f715c71fd8fd60c65fccfd722fbd207430af834b98
SHA512 58286fdefcee02aab5ae55f3230d78d3c3b72771fe37079d54cee60609ed540e1fb188832ad60aa92c33b6eb096e8066e9463e3c0b280f73fffc0d6ffb09fb56

C:\Users\Admin\AppData\Local\Temp\Kooq.exe

MD5 4237f342a274f65bd5099f322935e530
SHA1 047e1ff24aa8bb3ea7538b307f083fcd22daad96
SHA256 c8793fd1e7f0d91fd69344c89af97ddc75ca12172a678676a7d2bc1ef5ed2867
SHA512 1a450ad5fc18fe7758ecab8bf2031153e7fbc9f7ecf62ccc09639f7a768d96ac9b6a52b29eafff5dfedb6dd755cc0cea8dbe372124c983e1fa4aa55331e1c060

C:\Users\Admin\AppData\Local\Temp\cgEu.exe

MD5 748a82885d543d768a7ff3918f2be2ef
SHA1 0b047690b6412ebc81c23d64c54cb186b31c2342
SHA256 4420daebdb02ea1ae59a33c29cca1ad6dfffb67d66210175bca65c4ea9b36ace
SHA512 672ee8d446350d59660e8d7d308c612c1e515ecdab1466e6489149cc5be38a11e5bfc6142364b2b86c8501ab2d6b8949619ac2ba8e41f1f9502667fb4da5a637

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 42beb6071dfe3e6829936cfe300a73fa
SHA1 0a4a290089e913105f50a36aa3a21fe321a7b9aa
SHA256 e7a39b52e2521004950861e903b39715f93b9d579f603db4c0f515d0582f359b
SHA512 b16de1a65948c60cf701c3cbea4656b00f5a93665f1d4bf78b0c75ebc1da198b71a94401863f5ee52e0c6b1d297666927f52c474c50bd80e87f17c9e572bd456

C:\Users\Admin\AppData\Local\Temp\qQEg.exe

MD5 3ffe84c6d45172e42ee18116948a6386
SHA1 5e29236e73e6f59ed8baaae95ecaf70e41f716b5
SHA256 1d6c1f6c5d4d900a4124b0e26174c1389e9df50990e13d4295ba2c20ad0ff897
SHA512 9dbb531f7a0be9eea414dd45b4bc1043dd6cc8bf1f2b058e090ae110ce07e677b1477a2844aa00e779da051f378efa313c5fcc72260e630a8ed3f240049b9e73

C:\Users\Admin\AppData\Local\Temp\eEAm.exe

MD5 51a84f3ac149e39ccf97ced11dd6630a
SHA1 627f6f835ef33561cfd8d7e6d7cbec9a3f3b0894
SHA256 edc53b24f26def833fe6aaf7f03882e5569bebdd729ee2e404601000933a6d35
SHA512 a74404e3419670dcd6b3b280724f0750b73fc37e8b07cca1fa2b7292bc3fa9c1d560407e53d4c2585368070735bad7acdaa4e888a7372f1475ebca06527369af

C:\Users\Admin\AppData\Local\Temp\KIwy.exe

MD5 149e616a453419f184754a93de0011c9
SHA1 afbeaac045da384a706da20b2e97eca848a714fa
SHA256 edeab0ebb1232a873a5ef3c6d4cd9c045f985839a1a4a351a2ad22b0bb5e65aa
SHA512 28a07c0ed4f2890b0cf028bae02d92a95b806244cb71c0a17180200d8ebb947d7503ff2948d446ea02243f3a7113758b5030e5b3a639cfe4f563e993c9dc2887

C:\Users\Admin\AppData\Local\Temp\uwgk.exe

MD5 616fe0ea1ef62130c461d6e715a18fe9
SHA1 49f1b73ad4f44932805262fcd934398aab46288d
SHA256 a8b8a210a4bf58f1da16be9f605dd1f752ea65ef0878f545e072f429f456bc0f
SHA512 9c386784e2a1874c2114c527d8dd1d2b532be277d8db7d17bc3d3d2e892b2282f322cc902c6235490cc699ebedc4faa5f3355b983dd1faf6b6ee52b7f270e7bc

C:\Users\Admin\AppData\Local\Temp\SocS.exe

MD5 249c3dc9a953378ed73a5932592e4768
SHA1 c317f2df888103483cc33895096077aa8b5ffbdc
SHA256 929edb1782f34f19373a8d37da6a7d494cd1855e9ce4685931b9e759979eeaec
SHA512 bb33549c90e951a7dd58cc0b3ee7eacd357b5546f6fcce46b3415d8a9aaa91efd8a437ded1f53c021182b6eb93807bee16f32d83823b84707f685836f86c54fb

C:\Users\Admin\AppData\Local\Temp\OMQS.exe

MD5 548295e372b50dc16167a45933b5125f
SHA1 e69dafabd22e467294adb2c0f9dab5b576655637
SHA256 314aa7c4765425b7c704585246366549959fd0173dbdc3acc076cf8a6a4bd6ea
SHA512 7dec0a936f56f6a6c9d77244289c10939b3bab4b9b12ea2cda59a564503bcc99999190ac3757e9f77a64551bcc80b938a880106cfeb87e107b44d212bc00348b

C:\Users\Admin\AppData\Local\Temp\OgMc.exe

MD5 bdda10cb20a54fcaf9657e5f50d3f511
SHA1 4b5ace06ff45a05ae873e069eca7aa041feb94c0
SHA256 916f8d630c43b960904e9eea6f09762c4558f67e0106f30a90d4badb032a8f6d
SHA512 cfac133754395fe3419cdea4317da4e57c72111f8fec8d47a6c6a146d4573d1629ca5585020bc189d1e3893712447dc6a429264f46f7ec74e5a8407c452559f4

C:\Users\Admin\AppData\Local\Temp\gIUA.exe

MD5 9da70adbf25b961c6487f1db52333fac
SHA1 776a08df21bb666acf2e0dda59dfbbc0297a7cea
SHA256 0b5c28ce66d72dafa559efeac96f47d1847d366a361fa71bf8ca93c483c38484
SHA512 191656fd8d7ee4d4ec8330b4bba0bedac07c59ad838d7c8b368ea9e7a3613baa6e363f182192604dc8b8e440bb2c07c1d15ee9173bdd7efa50346a26af2e6d2b

C:\Users\Admin\AppData\Local\Temp\EwoW.exe

MD5 72a7ce7eaae2b62d3cfd24a2ddc9996c
SHA1 b17345a833c725a4d3d640acaee6951924ec453f
SHA256 55dd45233c043ec9b89d486983dfc232407d58e145cb7520071ba787fe3d4c50
SHA512 5ce0957ab3d3bc23cdaa5aefb1849663b1beaff30bf10168adcd479abc694398aa88e539ec4d9ce1b9a5871f981e216d588ea7e6aa1c32e0a91335406ab44f30

C:\Users\Admin\AppData\Local\Temp\icom.exe

MD5 6edb996380064d25245c83e551fbc298
SHA1 471d4e647bad108bc2fa15b24f3b90e61e4bb094
SHA256 3b55080f93f63c1b4fd1150b49cb228495cd4fdc8b904df4fb961e2cf564afa0
SHA512 495f7f470e5e12dee1c9ca37b4bfb92b83c0fe00d079cc736d62dd0b6ce18b9de2bfa65684e213d2309950d13829b2c4c20946edcd58cc004298c42e18ab3060

C:\Users\Admin\AppData\Local\Temp\SMoq.exe

MD5 e8f24d789bba32283b05c178d7424ee1
SHA1 ae38d41ed529fdde31764e0ef2a05a1c1aac68b3
SHA256 3e4db5f2b2a2756725f09ea04cc2b240d0ccc917ff733e15347c2ff6edd3f35e
SHA512 08dccef391c1c793416ccba97ff3275a53264b11a831b5df50571845000788d8b6fd54ad98a1e26af20787023d18cda099e9e31b3cad81ad459a15bed3c21678

C:\Users\Admin\AppData\Local\Temp\qMgY.exe

MD5 94d04daab9c8f166c96ea91fc3235459
SHA1 2583baf7ca8b6fe8fdb7d035b6fd4b2893e70205
SHA256 7156258d68e9c019cfb5f8db0776a904ee89592f024ae18568944ab05781a74a
SHA512 8361adc600c6c0a5c1d722b35c4516f4a2bb43775f17d649b63a405a666b80ae0188724edccf3cc1b412153b43a23d321f9f0226ac95d68f6462b6bccfba88a6

C:\Users\Admin\AppData\Local\Temp\cYkS.exe

MD5 f371e4963faf2499f757a096c63f1037
SHA1 e022f92a666110e91534eb22b24a76429ef771e6
SHA256 d972a328dca216fe4578fb7be35ac3ffe6785556a4866817a56afa6d83cb3bdf
SHA512 c52e4d0f5e6c0ab5238437d12e96dba47ab5922a5f1542d9103d49c56160b8663654f27d03d2ecb2473d2cbcf0eb09b4e0b27ff34d407ce43d57b837565f1543

C:\Users\Admin\AppData\Local\Temp\Swsi.exe

MD5 9a861c7fb2bbe68fa71327ed9a3b4533
SHA1 0c8f81f03936a0dbf8406a0e24f29121cddabd9f
SHA256 01370125021024b53a7394479e92512aa27c4d6c8f10f071a9796553809a31df
SHA512 aac2092a147a09a3f33c72184598ac533fdb992f13eb659defc3343a60bbb57ebab16f9caa2f8d7004936026720e2a68d2dbe75607aaa6ba1959dbd58940cedd

C:\Users\Admin\AppData\Local\Temp\MEAu.exe

MD5 dd585941cda9ce3d8ae2863cd33fa51b
SHA1 41c55dbd6bd70b4131fb0a115dc1e892f518e336
SHA256 29e5190df86f76e1807746d811af96af52a5a338e463f4600d3fac9b0a51d011
SHA512 2f32b2a748b4863caa54f6e1d536e889683c813df10048626f836763eee789ed1c7c8a6b03944e25b57fa9216f94d8b48d7c2ba1413e67e5f409c807f34729d5

C:\Users\Admin\AppData\Local\Temp\Qssc.exe

MD5 b6ee3105c4b8caed657809b0dffa4cba
SHA1 fdb2dd50b4a84f14a3b0f85321c6c1626fc6692c
SHA256 a4004fbedbd3b65f4f13b5f16a8a566b5282b916d33024f80ec4deea000e068c
SHA512 a08657669e808da6b14840f4a360698c36347c56f483e9c185e1f6e682408dcabe26a37b8f42ea1105ab7553f73850aad794f00c7e826917b18429c631cb8d35

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\256.png.exe

MD5 5f60bedbe7d16ba122852f06468d87ec
SHA1 9008022bd623107ac6ff1f0d4d92216e3da9c476
SHA256 290171e8eab099929a0d300087cbb7c30180e7c742bd90ec0f198e9d37228ecf
SHA512 f103477b5d7d75cb2f3ec9e5218b50e430a8f3070f5b72b46afe880d01f0a6385fedf760db80e963dbc99decfe62f16dc256da4f58986aa4ac3cdaa731092e8b

C:\Users\Admin\AppData\Local\Temp\uIcm.exe

MD5 9e44999993729a91b99853d19a53f551
SHA1 bd170e2e65567b9c65f593ab5c63ec902b6bfc94
SHA256 530cbcd6fc239bf9661625ad251ceb119156fed581d766f70ac69f86749e670d
SHA512 c67c9f6e5f4d1ee114d0a5f44e662ce7867659960384d886be108e0829930e1ed0101d2f44465ad7b832970ac49032a2f92c43c577d7c7371d08bc80c1932559

C:\Users\Admin\AppData\Local\Temp\moAo.exe

MD5 ff0cc3fb2c6281869c7bfa552034d520
SHA1 f06750c9ac86c7e3ebb25e8cca81775a18c3f805
SHA256 343bffd7c5a483df2705cd4b0fb0f61fe4a9f25d0a1e758a3eb6ae2b16ae6ed9
SHA512 be94a5f1e9feaaf03872fa28c193c27532cc14df2eda5b298eb79fdfb13eab1e36418fa609a8fca94b2f24d0bc1e2b2447f6b01a07110ae02a64786a8ca55e93

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mdpkiolbdkhdjpekfbkbmhigcaggjagi\Icons\96.png.exe

MD5 192a60deacef4feb955dd0403c8b8aa0
SHA1 f72d281234164407c3d071d61c42b123038fae32
SHA256 0e3c5b141d833dae5744d7184fb06f4f2f4a9c2021d997de07753fbb1c43af77
SHA512 37130970de519d026aabf0a03417015cfcca144a2528fb2e3c622c6484c13bfd52988c77850a28c4cf7d066338df788b3778024e217fe1ae68bf4070beef104a

C:\Users\Admin\AppData\Local\Temp\AUsW.exe

MD5 19a9321ebca4846299494bb542282017
SHA1 977de7aa5c6e1167abd970fc9bf04a00d22776f7
SHA256 b969898f8aaaddc4ba066cabcf4fdfa1d448e121a1e61790e17f7c4c328d20eb
SHA512 a9a1dfb76ecf66c13495e83da13b10651f3269e589193048332e93e0092e842b266cc371c730c138a7e441ec91e9ad03635901307cd5f25137e3cd18c99ea990

C:\Users\Admin\AppData\Local\Temp\sUoy.exe

MD5 e2560c1e89ab42c8350f05f70bf0ed20
SHA1 f22dd593d330d223bb345090a98ce029ddf64759
SHA256 5a98e2efb4e0f3782cbe9adb9a34d6ecd661bb905992a7055e3487f70dadabf4
SHA512 7b35b84cf0f4d8299f192b799492d00c6fa2a4519668e3983cd08b372c4bc0ea5df48389a8653889249edffe906b20994a273a8e49ed13687dcb308fd3d7aa8a

C:\Users\Admin\AppData\Local\Temp\IAYG.exe

MD5 b41c9eb6725ed875b95849d62306f177
SHA1 4b8d46e324c070089cf9c79f157b9c74cbd417a3
SHA256 5302065cbb4b0c02096086c700cfe07d94a993008e5a6561fdcb63a3eaab008d
SHA512 ceaae5d770cf04886f82ebc192cc317dde4e593b87c890d0b216737ec158d9e0c02cb55f0bc4ab0a9927f877fdf98288706b953e05ba6753a61600e575a58930

C:\Users\Admin\AppData\Local\Temp\ekUi.exe

MD5 13571c32d9ecd8132797c652d397bb04
SHA1 337dbcffc0f7133703ab75af2b923f70f69921e7
SHA256 0770512626bcc00a332e9847bebec8095a4f6c5d21f4aefd57b2f5b6e7e980d0
SHA512 b4208af87e70e47a9916b7d244af21dcee92620358f6e3b8232cfc80d91d6bc4c7da3421d55d0a724da968794a028f64bfbfbebb6feddf36f89bc2ad7ba3f375

C:\Users\Admin\AppData\Local\Temp\IsIG.exe

MD5 0086102efec7af22e1a8872eb2dd5166
SHA1 7acd2948a4cd563ca8da9b20ba2ecaf4b8042d59
SHA256 0fc6d2898ee4fdc379ebbbe86b41b0a5565bc617fe5a4be3d11fd56b72ae3614
SHA512 f9e31a689c7e4c627a29313c44a4cdb2ca311933e87e653744638f962dcace4a8ddc8ce2b57bc31239f6c62a84e71dabea5b4bf10e55ee2b3666656eb7b1c77d

C:\Users\Admin\AppData\Local\Temp\EMwQ.exe

MD5 b762fd1c3a9b163da5560980e2d75aec
SHA1 39d62ceb7ada6cc131a2a3de3b6fb4165af0ac22
SHA256 bfb83391e791ab24630584f2d2c6820e13422517889f47d75f186a4cf078aa69
SHA512 9ee1f7552fb4fc38ec320886608f1a1dbe9cb9e66b4e718474a6fb5818d58e9e78cb325f734fb46389998deaf6d3c1aa4551787d11cefb21005b9b6500964ee3

C:\Users\Admin\AppData\Local\Temp\sYIS.exe

MD5 0fd5d7b8534c3e32c461e8101a0c9bc2
SHA1 ebf3abd3897f44e939c354caea10c92921f3ed44
SHA256 996e688f872383a4ba48016c39714d21f751bbf911930bc069a659d4488f264a
SHA512 5415f462131abca4a127e15c386299e5fff6b5b19140aa0f17c52ecdd6865edbf02f595ed58cb2ab53132d135d1f2c18a5e8c69fe88054a78883918bf8a0a590

C:\Users\Admin\AppData\Local\Temp\YEkG.exe

MD5 e3b37798378db17acc72b664895589e9
SHA1 e1aa4b968681c6f94fba5d9e7a455e72358f31a7
SHA256 ed65b8d554e7655a742ef6518fa550cf3aded20d327f2616b3ba05b016945f8e
SHA512 31c9def699fdd9d54b4fa3277e1379ce3300e53fdc8cfc44f9d11c912d46e329a538d3a5a0e4f88d8d449e2f99570e11684db88905b75baf881df4f9370c433e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 9333229c898d928b142ae5376328ae45
SHA1 1efd2ccdb6f17c51376da664ff080691dda97065
SHA256 8b8b38d5b481a34e994fdfa159186d28cc2d490d0407e34759a9fc824a2add6b
SHA512 1f4ebfbaaa87de37879424fc721779d9ba491226fe2ea3e07cb96fad7ee03d389baedfd054e506c8deb6c0776035acd4ee02349db2c082c52ef06252a6fed1e2

C:\Users\Admin\AppData\Local\Temp\kQYc.exe

MD5 7a5e3aaa4d7adbbed02a7f989e11b702
SHA1 05531b1d1e7c02fd9c3e11e94a4637f9d83faeae
SHA256 3aaf94e1a1d25560e1966328c16809b53c663d99c0064500695db20e11be925d
SHA512 a5ad2e519caf38caca2ee1b55ed6a4f38a8dc1d727310d2ad19b4acf10cbf65bf1ab09245311eab67016433dfb23923d5ab859fc62c799fd1a0c3394ba4dcb80

C:\Users\Admin\AppData\Local\Temp\qsQA.exe

MD5 bdbbcf0ad87eb20ad4e57d63406d20a0
SHA1 ff230c1386b1e189e5d97f352e70174f22fe615f
SHA256 19be6aa2cffa77e22fca7a8259de5a6ad96abaf3465aa3d57ef79748a1dfc7b3
SHA512 fa78f381d5d33f737ecddb295ae4efb39211ae5bb886c20da2512e3a64f0728d4a7600fbe32b7777b3a148449ebf8d3545f9e8408781a8363d463a0c1dbc79e4

C:\Users\Admin\AppData\Local\Temp\IQAw.exe

MD5 83b70769b351c6e8815804f3c7624245
SHA1 95b3c6a8eb7229622dab4640222afb861dfd4999
SHA256 20a867197e6d68a62da486720344ff62c829b9b3a04dbe0096dee8219f01728a
SHA512 2337b8b44ba1cc3e85c75aeec56758529bc0f24dbb3729c9828a749b586550e662a0d288c6a247249ff0a431115bc04d446d8ef09b133e74361bf686ada59047

C:\Users\Admin\AppData\Local\Temp\okEA.exe

MD5 8ab0ff99f04bdcb312fa5cda5cbf967f
SHA1 de9a135a9154146cbc4c41b51173656d3c654851
SHA256 e43db5d6d2762440824637a4e708f1ff5f61425cab25c9dfa84637f3cf1b3d0e
SHA512 fccd191fdf08c99dfa6ba7f827ec74c14ff25ba2f54ad5dfa3bb1ca1a58d5f748a65b099cd8dd4f36c505a295cf7320cb481a88de628c969bc1db8a67075336e

C:\Users\Admin\AppData\Local\Temp\sYoa.exe

MD5 88444a39b4e2a18ad9cc9fe9c5c54d74
SHA1 0e103992f91291415b5c3d2e61ca8d44e7adcde6
SHA256 c9e7ba77b9d1f945b76b2ba632cf896b02030b05540226be5842e1a216ee3192
SHA512 98c8e389e7b307100daf4ea47b511ce45228a589671cc345d041f141e80ad7c3d6a4c543024fddf4d4f02f2e07edc86e35826ea243722de3c97505b23b5ebe79

C:\Users\Admin\AppData\Local\Temp\yQMG.exe

MD5 7a18e3e9b9ae46d4bf1bc47538d925e6
SHA1 a70d8582d20bb6e49196cd14b9e693ccf78d8f4e
SHA256 8ba8bb079c2448a1e2cc6ff931a30ed6256e61f78e4c746841793deceae39af1
SHA512 7c3c53062c8c0001c4d6efe8f2884fe1cd4506ad29c3126342f240d9cc5a344570b013b054968a4c34c03274d4a8163621aaa7407f6a49a0e3ed638e3ea67ea4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 f31e90986f1395543a58a2146ca32d2d
SHA1 27b8cadd860470b5e682fe2f34652d3d3a998e02
SHA256 6c8b574a8b2d988b46e3d868bc4f612339491ff905e3e1240fd67df9b919a998
SHA512 f6aa51db9aac58155568579a914bcc5a31a1f5930555a5254212fc0eb6e8cad66cfe988476cef5ed35ceb30229783f8e4be5fddb7ef79e186bf351b683ae0352

C:\Users\Admin\AppData\Local\Temp\GQkY.exe

MD5 2cfc3af1873bdd8928ac98d34d77c7c6
SHA1 112b1a48b4c0d78cb0e3858210278aa1b904adc5
SHA256 3408b4093f1e798536d5e7e174d9c1bc91e3ae8c6c07edf210bbc95b4942af51
SHA512 dc7a18734c7cd940e0835ccbfccc6dc1a9b004a7859b22ce49d157094c66cc715ca276777ee75a91102aba5c5e89fcef43fbaa1d792ee5431b93b0e68156c3a5

C:\Users\Admin\AppData\Local\Temp\MIEi.exe

MD5 73f26d952b9ab6786b2e9dc55cc8ac76
SHA1 0d9f47b7d979987b8914cd112ffd5d89e89c1590
SHA256 f98c578e82eb42371ce6fb1ce066778ca66ac7047e1616e17b8f199cbb38fcf8
SHA512 ad84236b42d802ff42b855cd735df6eedcc08aa0b886836a57543b6a2c86d598f829ae6563c2072b7eac515ec5caec377a6e46bddc62812ce3af09b24936aac8

C:\Users\Admin\AppData\Local\Temp\ogcu.exe

MD5 f43d05aa9948df9ee80ed918b69c73f1
SHA1 2c5cf713b6b034d6aba520f8ae5d0f710455db27
SHA256 9fec6b4a714f44ceefb9f824713c73d2ab15bc81899489d8996f56e30f657ebc
SHA512 cc80546f3214f4422a80678ea0cd25afe8acfeff19e796feec4205904cb5518cc2ad81db4332708410dba7af20db174b9e630a6519b2e5d8390c7196e4dd48bc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 93fd950852d52a49f5ec33394c22caa5
SHA1 e848905ec2b98076d35ae468f5c4876207612790
SHA256 e49b8209aaf4cab64b2d5ab24b960f011bb255647154a48d739711b134786f9e
SHA512 ec7a9c9f35ea21b06c1be1fb2dd0352716d3ffaf6164b2684bc5b15cef73ea1de130e72a02714e63b2ec83b826102d68dc58fe5d13cc90d4a191638695095aa5

C:\Users\Admin\AppData\Local\Temp\WAAK.exe

MD5 1f7b349a74c393c5f00d86a4af1f70b2
SHA1 3c11b7f5f8decf344600814712a4b63866d3dfbb
SHA256 6770233d27c02fac2a5d9186109fabe6f12487c3ca47a448eb7118e2610da34b
SHA512 e1029b7e036076d05c22bc0af38266fe4dd56441df3486c30f649a9fed184dfa7aa59701ffe87d14d8e5502007bdd1e62c22875c3848c543ac3da080b70b7e6c

C:\Users\Admin\AppData\Local\Temp\GgUE.exe

MD5 cf4659974b5088550dfcb9a47e311b1c
SHA1 130228a1f34e9131bc341d0802be2eea6635c3e5
SHA256 3da7e5d9de5f6ed4926c24dace361154f4aedce1652308e6bbefb1ede88e0450
SHA512 89dc8022429ecf200204c1babdc0ab29324817bed29ebd58a03340b8b88707fff5c09b32e472beca2bcbfa98b7971623411663b3fb67c95f114db60a69807620

C:\Users\Admin\AppData\Local\Temp\IgsO.exe

MD5 1e2892e796ad502db2c93399bd9fab9b
SHA1 b8edc63c0c02543440c067069ff296b865caa67d
SHA256 52890401e6ca66ca7080527c77f3cb946c3309db7b3f4cc76a5c311a280f55b1
SHA512 a23a104fc501051f296017352463bdb4e728511e1ff5202bef25fed4b072bfa0bc5d64c8c79dc421680d6cf26f210124ecc2da4474c86551fe2a5f9214522258

C:\Users\Admin\AppData\Local\Temp\IYEE.exe

MD5 f5268fa4a646defadaadeb40780ff072
SHA1 5ac2463ade95c155751cad638d56019382db67cd
SHA256 41d0644db81606dc770c799854f5a40a87fb645e6f9fd05bea0da2592c4b3039
SHA512 b01c0d15b711e0bef79b6d19a89665a074bde5a2943f0748d2694aa746e8869d00c10d80c8b68fc840644ca5cfe293db6a11308b29062784a69092c17c8790f8

C:\Users\Admin\AppData\Local\Temp\WIQM.exe

MD5 7bad3c905bc91cfc4fd86c62033c042d
SHA1 6f7579f74b27410d38240aa371e9cbbd1bc2f7c2
SHA256 97a003fbaebb0fb5c7aa3fe8017a5052852c1436a57079c4f5f61f42c80529b8
SHA512 f8ea11f85ffd24d8f3f22ccf5a743cb3bb825d48df1b4205f54e308f6884776f2fc509bfa5125193277265a6cee228a7114be00d49fc20939456852e4fa2b249

C:\Users\Admin\AppData\Local\Temp\MsYU.exe

MD5 54da8926d42b6f1a82bba007ea451afc
SHA1 b37a12f10dc54c1a06e8d4c3eb38ee8119d7c915
SHA256 f4fc1ef0bb7c49869d73d702d4b58917ab00ff4e14a517dcdbd4eaccf324d435
SHA512 9da0a4f4412f26a169dd4e808f74079114947d036a6225d1628684288f6335117a18be45d23c7af79892b376a8f4a458beae9fbe0ff179a9b522475e88f30a85

C:\Users\Admin\AppData\Local\Temp\Gcce.exe

MD5 118c6494db7e047ad378bca7ccd74c64
SHA1 64ebfa49980d21c0d557d7a967879830b3828633
SHA256 7bec4883b55becdb594729262e2688e1930d3009e619e567c747874eaef6f9f0
SHA512 906b190a6b156fce7b466a6c259528dd7b63685383ee49bb126ca0c7d9c0a966fc17527624380f5573872d735d0413da208060ea559065806e461eed965f1017

C:\Users\Admin\AppData\Local\Temp\YYcW.exe

MD5 de30a13e729deeb0d1db8d434a22df91
SHA1 890963a3ecc8215f6c02b453c7192fde3e78edf4
SHA256 20d9027b0092946603aa2998aba3d2c727cad64c67218a23c89e697eaf9a9b75
SHA512 68b4cadc8cd31c94e891cc9ab711f704e2e5138bd5bbf3c6417814c310e233aad3c7ec22858d1e77d8b111a6db738a39de7b3decc735d96bb982362655b0994b

C:\Users\Admin\AppData\Local\Temp\Ekwq.exe

MD5 c39de52b1674da18e43e6caab4ec514e
SHA1 f2f8802291534f461b3353c69bf557c71f0a5c1e
SHA256 d89f9d5a8f36d6b986d5a026e077d60aae68ddc02e9949389d58ea2bd5564cd3
SHA512 236f44a30b57532cebf482446aa49494b2c63e7adfe49663de0ec4c3caa633723c576aa214db75abfd6034e9fcbde47ecbfda2274a1781671494aa3ced0a9a91

C:\Users\Admin\AppData\Local\Temp\KEsO.exe

MD5 585a2ecf95ebc07c3c91e0d8bc51168b
SHA1 6b61a7cfa2932ab1a2fef63f84ebc96ad30ca33f
SHA256 7d45c0deb227b7ea50ded0f4ebd0b169ceed7a7871233bfd6fe99df68aa9de00
SHA512 905dfb73145ace8136ff5d94430811b000696d75f528fe7b3b13540d546cc3d642455db3f957015835cb4fa5f443f270554c881d3af65803c3cf4e21bedc8d39

C:\Users\Admin\AppData\Local\Temp\MMQG.exe

MD5 7a6fee955413531377c0d4b198f632f0
SHA1 65b9c6ae9fcf2d410ce269016a9f6e62ca65d510
SHA256 ced759f80cf7123180def9bc8d75a93a6c1050f3c77d7879a323c906ae582de8
SHA512 fdaddc0f825314e1594cd7a5d66f2dfe682d4f2c9317902e305084ade0e727f36a8685d44b96a83431313fb0517b223d11758861acee0ed824fa1eceac1ddd72

C:\Users\Admin\AppData\Local\Temp\ooMA.exe

MD5 306d4665875d811fd530f77a7aa240d3
SHA1 ed9799625f642e07d42ef730ffc8af1b20a29786
SHA256 6ce25726defdd9d6710b6aca3e364d049ec5aafd98cbbaf3c49c198dcad43914
SHA512 8f1a4c0f7c042e8cf07d76407eca6a1002a3faac334d3ae91570bdeb8e7bafa4ccb9aaaecddc983f75d654c97fdb9693ac7639339aea41b23a18cc3fe3c8128d

C:\Users\Admin\AppData\Local\Temp\iYMq.exe

MD5 777a5e9e7d0877d59e1d8fb5da544c32
SHA1 805d995d0aaa406c9bdc7620a5c17358f2032401
SHA256 547853082ba5f37974b11284b52783dcf5f764c999ac78412e088c7452845bfe
SHA512 839e8b246408fd3ada03db5326348aa0768b646fa3d29a678accfbdfd83cb5869fa418ef31d43fb08da7ecdd2a48b1976e7a0bbb5dd7e603603719e7645e930d

C:\Users\Admin\AppData\Local\Temp\CQMu.exe

MD5 d22049986062afbd6541c62222d91caa
SHA1 9c87e788d7981c003093ff6cc28a186868310a02
SHA256 f9e04850d3728edd756b028df77261aa8edf111ab7b892633c1490f2c607242f
SHA512 3cd884d274ab88939c565be42be7a0e0c62eaf3bd68b62eac112804a1c5d0495e375ce8afc1f0d315c92f6eb5ffbcc4821c950965fadc265ec11776330754dab

C:\Users\Admin\AppData\Roaming\StepTest.mpg.exe

MD5 5c25473d4c390d80da3a4ef8c28bfd1d
SHA1 8b22c28f0ac244a3a1e3824ec496235195cb6abb
SHA256 10098f17e821583527041da6b12b91bb0ac58312279088a53cc00a12693e9cb8
SHA512 01086d24ea5d13ca18163c58706c6cef9cb5a77ff36c46826d3e09409d4467d1a13315e1f79e17afb0a0ee260be919d0eb9dfd81538c67c6ba54a9a3d6bc15bf

C:\Users\Admin\AppData\Local\Temp\cQMC.exe

MD5 9260740830660f22017bc2208b2aad1f
SHA1 44a26836eab50a395b24219d902525824e8250d1
SHA256 beb2ab021e23ff6b2b39dee50f6fe5111c10c9c629e4d6f0f97bb6f6bf363772
SHA512 d0b879f2fe13c08d9aaabca163babfa0173737068523a78009e2947474f1c024da90955a9ac33b11405fd47b40872c62c3d8ddc997557486b0ef0c6750f3ce51

C:\Users\Admin\AppData\Local\Temp\aQkg.exe

MD5 cb4d9f70802bb577b046cad6f6c0e1e2
SHA1 7147f931dcb7044ec102369343e808be3d30f8fc
SHA256 825b1d8a14533d76b7dab3a5f1596c4f24314042de4804d9ecd07319888ca94f
SHA512 ccddc4610b7aa606671adaaf716f63bdfb840b1534d9fac1717ed31c8b769d6ad23a604944c7867da9c27c2ff3dced1212498d12b5bf000352aabb4919440101

C:\Users\Admin\AppData\Local\Temp\ikIo.exe

MD5 46d2cbe4706d277c946ced463a14c4d3
SHA1 d0bb040c215eeee6f0b893f20098d433ad157c31
SHA256 e962c3a4efc5f0e5590c2b23a9d5705d28765d5a725af72f66de458fd7a40366
SHA512 da755fa41af5169cbb3860a992e12b485f13dbc5f63250d5978d8def17a12ccafbf25286026565e287a8d3a0d52a7d9f2ed8ca2bfcc180a2ea3e288820389128

C:\Users\Admin\AppData\Local\Temp\QMEW.exe

MD5 81892595c7acf92b802f459a6499d9af
SHA1 cdc92519e070f8b7b1191243ffaecd0527fb3c6a
SHA256 d92753dffc5dbb028f8b92202ed72c7edcaf8157e88092d14cffe15374ae872e
SHA512 6c4990e74f1a1f630b0c4044d809499f374f8b3f347f05bc287a867b738a128ec64731b736b52d791f913a25c3eb382fdb0c88ee7ffb1d8e19fa99fcb76c948d

C:\Users\Admin\AppData\Local\Temp\WUsI.exe

MD5 adb74246217c7506f186754539fe782a
SHA1 971e8ee66860da32dcca4f51d8b96bf531414f85
SHA256 1d00ac45bf3789c0e2efc6ebd7376cad33bc3af87683e873ae44dad478afe881
SHA512 a5498796b1e4c5217c943e6935bd7643644a70f9459de8272c0c0aed7259504c7af64eaa4151bf1449c0e5560bd1bb92d7fa8660f42aaf40fd32999ac79e961a

C:\Users\Admin\AppData\Local\Temp\OcEM.exe

MD5 d6cdedd09bf8a7bcb49ac9b426bed2b7
SHA1 ec905295f49c4957518c5f7d0d085b141cf30bd2
SHA256 2158fb4915b8efaf85d1d0ed4953dc12288b10a0dd0a5dc96df509c78338a0b5
SHA512 b9435ce22bbfd370a40d1183a9b7e34d7220335ab76998085e8cd9cf6b04a4151e12716235f0c296b8762e8df48b2440c0345d092f8a5e1fa7a4a17e60c0921a

C:\Users\Admin\AppData\Local\Temp\wQgC.exe

MD5 d3274d1bfe5da06435e7ae38a4987674
SHA1 5b233e247f90e6729078f6d72e4c24102124e5a8
SHA256 ff98470bd7615c04194f2daed445720601cd8dc84c8c3a0542a7287c99e8579d
SHA512 fa9b72a965d1616e5f6f735e9556f84e60521065f4d8e2e3860f9a7d0f6b837cbbcbaca7d54f47ab1d978584b62bd724fa20812cbb58110af2e8a263bc9e44a2

C:\Users\Admin\AppData\Local\Temp\agUu.exe

MD5 b1827264342a90e9b26e26a2a8087dbc
SHA1 36e42a0d4b013e9c70dfa592e2414fd5dd3b8b03
SHA256 db973baf2faa37953a516621fd238ca3587d9537bb290f83fb90c78fa9241b4f
SHA512 5b1e7fce60948060e7de5f22c9ddf6fc39059ddc5dd06d8d1523a1b4120826f3254dcde32a236d84f6463a533ff93095c2bffe6d7bcd1e1dcab005d5d547adff

C:\Users\Admin\AppData\Local\Temp\KQYQ.exe

MD5 8211aa31026a4623b805ca9b925cf86f
SHA1 350c21201e21addfc85f2ee7b079d493fd464750
SHA256 0c3a449a136a082be71445ac980132d5e67a7c2c8a5d54b1a0035374cf23fabb
SHA512 8a1cad23bed179a5338c631afc1725cd5d28172cc8cb1a2c5fc928a033ad4864e49323ff69d738601ce0ba6b495223a557df4154cc13482a6e7076945e2970d8

C:\Users\Admin\AppData\Local\Temp\ukgy.exe

MD5 2f2565334e81c132989fe551ebe86d11
SHA1 642b64729434db12fc63bac6af5a144e647f235d
SHA256 e037c989af6e964372a0bc4aea9bdb6e332ed897dca7ad1d5560d2f95669bcd7
SHA512 d1ccc2bc0cdd92fe02fc8505527af80b28726ec2d4d6ade3ddfed1252b814907792d5a5a6307c6da31759f6f7273fbd06354bdbbb25b7e4b939f8d7ca9ce0424

C:\Users\Admin\AppData\Local\Temp\OcEc.exe

MD5 9a19381109985f85ab849072c4a0ee02
SHA1 2c0d29cab9ad6b5325533ddf2bce8210902ab415
SHA256 263d1755d47baddf33daa178fe4c3eb5430d24f32c47b2ccd08f42e714457bce
SHA512 bc3fe2032e152a4d7af0e6847c75281102df39956389c4ec1de1fbc7e6b29a221c2de83f7b05cface1c1e195313a34427972b58d92823595e1b7c4559ecbd8e0

C:\Users\Admin\AppData\Local\Temp\EkEC.exe

MD5 8842730a59da4fa3c1188f045d53160b
SHA1 e243c2a5917b3d9ea7c2cadbde0f05652f84e043
SHA256 010dff7ea7a0a78daad9c76243f7137ad57d10bea708a914e123df3770124d5f
SHA512 5881cba173a658bc5a3ec25ea065fba85bfb45d9163cefa62b6d0b735e171bfb29b59e3e4bc74ef46f97a6a04528309b457c3069ce593ec8761e1cdc45c02a67

C:\Users\Admin\AppData\Local\Temp\aski.exe

MD5 61dd85ed659480b43fcb42f1e8cdcd85
SHA1 a31d822ea7c908e83e37d20f845ace0cf13457ee
SHA256 5f24260e749f4a20a557a322b36deae70b9bd2b26ee2380d63ed44e25577a2fc
SHA512 335805b1370ddaa73d6a9c04fa53aadd458949f5fad17c410283a3187db9c9faeaf6a5895ab50e081e1eec5ffa321a49c6f75235a0f0b16902d2607bbae39358

C:\Users\Admin\AppData\Local\Temp\kwkq.ico

MD5 34460862c89281546603585eba87f992
SHA1 c00e6558b839be12b54316e87116042454cccbd2
SHA256 bcb253ea3735a0cf0a8c6ee06c14c884937c64ddeacedb17240e40d403577620
SHA512 b21fbe3ba5b0a15dfe6d5797dd72fdfed7798748b1acc8846251ff1f58e164380a0bb2ff40a110f2b86fc6ba76abbb8cbe7a148eff697ef39a5dc4d1448bfe67

C:\Users\Admin\AppData\Local\Temp\ksIA.exe

MD5 947c5f921fe8b46c1a71b8fe48aa11ae
SHA1 e7223799050ccdb5f08640bc057e41ca680df337
SHA256 af1cb66a1494cf8dabb6c5b6114687dddf4dddc92b9dce4e0e47f51f36e2da71
SHA512 c651205dda27b3d7aaff3d17a9ad1ebcc0984240583d240226c4f6e9b79ee7fe8d69bfdbddc399eca761d2032e698342c7aab16285252ef58f93f3c87f8f021c

C:\Users\Admin\AppData\Local\Temp\Scgg.exe

MD5 6d8cd07cfedd6597385f8963bb2e933c
SHA1 f17c975b63c5eed1bdb9477bc0121b6a28b165cb
SHA256 9dfdaf437a4723401f9f221e537b32e819e78be7111390991ac30c46f5ed9d83
SHA512 b4ed0efca94ddd654445db3849009731c35696974d7567a8dbb18ddf632ec24e42655f26ef1e71f3b14782c0540f42d8afa2578746116bef295679d70ac5cd3b

C:\Users\Admin\AppData\Local\Temp\GwsO.exe

MD5 0a48a2f8b2bc251a9ae3cee596596a12
SHA1 6c9d55d15ff46e63913fe97c9a75f4c745e90d2a
SHA256 d718d2c8a10fa11000cf1b92137b9d2fe1ccdc59540e5308135185cfc3d77119
SHA512 686d8bd98e5ef1dbb93611eec03593cd33fb6f89eba10abdf414daa6071a31473e9dab69eb0467401ddd8eb15bc0a514731e4511afda3eac17bd7a8d4e73320e

C:\Users\Admin\AppData\Local\Temp\ecQw.exe

MD5 fc7eecce26eb448c2150a9880acbcd04
SHA1 c87af207e9168db883961fd6ac69fd569b392c1c
SHA256 ff897654cbe685f8dd99173e769f915b763e230643d222be2fd3e4460d31f4df
SHA512 3f009539de6d92b149852e825a4735b292d275b71ec1d91f5de25433a98414a03595fb1b9770eee8b204cd32d18b4b4096f9c831ab9f3276b26f22afc08b133d

C:\Users\Admin\AppData\Local\Temp\cQYy.exe

MD5 905234b2f2e6995becd128e159a30432
SHA1 221b5f45d421b50da82dedfbf9c056e03cbb7da5
SHA256 b11580dc914c64125b0285ae46e34457c6aa868671b04dc9b515fe30157534c9
SHA512 5293852ac0c699fea7a1346ad544710f1605ad1c628964c1aded4baba1ccf2054d7c268ab9abd770b8a3b69e333ab280c2f8cc34e06734d3fd50a6bf81e254c5

C:\Users\Admin\AppData\Local\Temp\AQQM.exe

MD5 746fb4fa967a5690b69d6e565f7a7cbc
SHA1 9c08aee88283f9c7e70208dc756682c132191b1c
SHA256 c16893cb0884c44b80f69f20fb91af67d5f75299c79fa069c70a6e5117800c62
SHA512 0289124e7119b4d889a707dfba7cc24fc13d96c72e023579796461954d176e9b71638e6e14a64c98885696c25d7b99c45158806f207eee6c1f29b300c44f43a4

C:\Users\Admin\AppData\Local\Temp\Ewcu.exe

MD5 083c5cda8c57f00c50d36d30ee498274
SHA1 284ab487ed2e41324c5d549f62c8d6609f7d2c31
SHA256 c77a91ad43a80bc629e9f4e3684ec7263b108fbe245d719dbb0b82f80c4e0225
SHA512 a7813e94a1aa73b42cb437d1c97f8894078c795e25081bb7cdb55d2c6089efbe2e8765f2892356a783df552b679fbbac0175f152f78004153ef49a192ecb8c69

C:\Users\Admin\AppData\Local\Temp\GwYA.exe

MD5 4c36c63708358b32cc237db1e59c2e45
SHA1 96882389ec9a55c4d8ed0564b0659b1c40b243cf
SHA256 772df3e4ea5c5f53e62a3f42f4f13b575a5c3c7ae26047ee1f011ce5e73946fd
SHA512 6b16eb878e66eb5e16fa38bd61f494c132d3c88f4453155468282fcfcf4a634581ae6eaafc1be1e066dfdb871899c69048194c076dff608579b65e216c853ea1

C:\Users\Admin\AppData\Local\Temp\mMkQ.exe

MD5 3cb4839a7641beba50482f1fdaa08991
SHA1 acb19655717ee2d9c90260eacdc1c55a4c4f129f
SHA256 468d82b3781f60038acce007bc3330c751ee483d3d74b87746ea6a51440f3586
SHA512 14fb95bb64681ecf4e225f2e02c344a381b525de0c73843875cbbf0edc3f4e396502a3833e7592e03ba50d68add24724356b4f019e041eb9d08fcee8f2ddf22e

C:\Users\Admin\AppData\Local\Temp\scoa.exe

MD5 09b82c788cfaff9d0b6dfd323e06dff2
SHA1 319884b1aa9478c0c72379b69041c48bd8c28872
SHA256 c26e3fa1bd7116da7e38968d4209894e63adfd4266b086bd50f20301b88c08d1
SHA512 56a6683524efdd0ea5a6e6cdadb305a0b3ed5c95dc4e470f72b9f1ef00e72cb3957f75d5050fb15ca3a79c49ebce70ed81bb2f4435916d797a8d96a100939baf

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 5170946cc530b9f1ccb4623c30bc5abb
SHA1 5b65156617d31a5f6a38170b687463e22506d42c
SHA256 c30d74ba1f8f3eb78de45d83c84c19d5c92271b99eb9fa5b67faf96bc4658e3d
SHA512 a275734175bcdd19b45cf1e57049f50de6dd7a38022cd4d9b08b62aaaeb15ce9997575a0f94310631cccb4787ae0c978866ba38abe51cb44dc5f74fd277f4281

C:\ProgramData\GWMUswwQ\dKggoIYI.inf

MD5 d74b4f3787a1f9382ebf5fdf9bb17880
SHA1 430963398c558fc5e669edf0b83b67713c21271c
SHA256 a5af2fdf8d0470146cd36259c037f8699590eb813cd1875d62a1208dc7d52a7a
SHA512 d2bf0c0d32a4f9b4f961153f30a7bb007d000438937f2fd8c6fcd5409979bc6d6372d96c2cd297ccdcb145173a84790cfb0e7a12a7fa06e5f7ab3df28f8243a9