Analysis

  • max time kernel
    152s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2022 23:11

General

  • Target

    ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe

  • Size

    1.4MB

  • MD5

    7ce5f7a405d6b2cb65226f9a471dc690

  • SHA1

    d2ff0b3f6288da4b0fb3f31085df7d2eb34ba524

  • SHA256

    ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2

  • SHA512

    97d71eb030df7ede2c4683117d7fc2fbf9831c6a166ca8e69c4037a739b8220454e6ca752061fe9f629a22586d1066be3f986b5dd97b2f8358a09bbda7d3128a

  • SSDEEP

    24576:dtb20pkACqT5TBWgNQ7a0I1VP+oB8pRIlYWtB5aOsZ6A:Org5tQ7aBTPMIlY2b45

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe
    "C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
        PID:1488
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
        2⤵
          PID:1756
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
          2⤵
          • Creates scheduled task(s)
          PID:1724
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
          2⤵
            PID:1012
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
            2⤵
              PID:524
            • C:\Windows\SysWOW64\schtasks.exe
              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
              2⤵
              • Creates scheduled task(s)
              PID:1164
            • C:\Windows\SysWOW64\schtasks.exe
              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
              2⤵
              • Creates scheduled task(s)
              PID:1516
            • C:\Windows\SysWOW64\schtasks.exe
              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
              2⤵
              • Creates scheduled task(s)
              PID:392
            • C:\Windows\SysWOW64\schtasks.exe
              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
              2⤵
                PID:1196
              • C:\Windows\SysWOW64\schtasks.exe
                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                2⤵
                • Creates scheduled task(s)
                PID:1828
              • C:\Windows\SysWOW64\schtasks.exe
                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                2⤵
                  PID:2040
                • C:\Windows\SysWOW64\schtasks.exe
                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                  2⤵
                  • Creates scheduled task(s)
                  PID:1416
                • C:\Windows\SysWOW64\schtasks.exe
                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                  2⤵
                    PID:2032
                  • C:\Windows\SysWOW64\schtasks.exe
                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                    2⤵
                      PID:2024
                    • C:\Windows\SysWOW64\schtasks.exe
                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                      2⤵
                        PID:472
                      • C:\Windows\SysWOW64\schtasks.exe
                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                        2⤵
                        • Creates scheduled task(s)
                        PID:1368
                      • C:\Windows\SysWOW64\schtasks.exe
                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                        2⤵
                          PID:556
                        • C:\Windows\SysWOW64\schtasks.exe
                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                          2⤵
                            PID:1604
                          • C:\Windows\SysWOW64\schtasks.exe
                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                            2⤵
                            • Creates scheduled task(s)
                            PID:980
                          • C:\Windows\SysWOW64\schtasks.exe
                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                            2⤵
                            • Creates scheduled task(s)
                            PID:1480
                          • C:\Windows\SysWOW64\schtasks.exe
                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                            2⤵
                              PID:1720
                            • C:\Windows\SysWOW64\schtasks.exe
                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                              2⤵
                              • Creates scheduled task(s)
                              PID:1188
                            • C:\Windows\SysWOW64\schtasks.exe
                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                              2⤵
                              • Creates scheduled task(s)
                              PID:1916
                            • C:\Windows\SysWOW64\schtasks.exe
                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                              2⤵
                              • Creates scheduled task(s)
                              PID:1572
                            • C:\Windows\SysWOW64\schtasks.exe
                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                              2⤵
                                PID:1764
                              • C:\Windows\SysWOW64\schtasks.exe
                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                2⤵
                                  PID:1140
                                • C:\Windows\SysWOW64\schtasks.exe
                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                  2⤵
                                  • Creates scheduled task(s)
                                  PID:1292
                                • C:\Windows\SysWOW64\schtasks.exe
                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                  2⤵
                                  • Creates scheduled task(s)
                                  PID:2068
                                • C:\Windows\SysWOW64\schtasks.exe
                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                  2⤵
                                  • Creates scheduled task(s)
                                  PID:2100
                                • C:\Windows\SysWOW64\schtasks.exe
                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                  2⤵
                                    PID:2132
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                    2⤵
                                    • Creates scheduled task(s)
                                    PID:2164
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                    2⤵
                                    • Creates scheduled task(s)
                                    PID:2200
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                    2⤵
                                      PID:2228
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                      2⤵
                                      • Creates scheduled task(s)
                                      PID:2256
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                      2⤵
                                      • Creates scheduled task(s)
                                      PID:2300
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                      2⤵
                                      • Creates scheduled task(s)
                                      PID:2332
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                      2⤵
                                        PID:2364
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                        2⤵
                                        • Creates scheduled task(s)
                                        PID:2396
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                        2⤵
                                          PID:2428
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                          2⤵
                                            PID:2460
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                            2⤵
                                              PID:2492
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                              2⤵
                                              • Creates scheduled task(s)
                                              PID:2680
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                              2⤵
                                                PID:2720
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                2⤵
                                                • Creates scheduled task(s)
                                                PID:2756
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                2⤵
                                                • Creates scheduled task(s)
                                                PID:2788
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                2⤵
                                                • Creates scheduled task(s)
                                                PID:2876
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                2⤵
                                                • Creates scheduled task(s)
                                                PID:2908
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                2⤵
                                                  PID:2948
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                  2⤵
                                                    PID:2992
                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                    2⤵
                                                      PID:3036
                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                      2⤵
                                                      • Creates scheduled task(s)
                                                      PID:2076
                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                      2⤵
                                                        PID:2244
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                        2⤵
                                                        • Creates scheduled task(s)
                                                        PID:2380
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                        2⤵
                                                          PID:2508
                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                          2⤵
                                                            PID:2728
                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                            2⤵
                                                              PID:1128
                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                              2⤵
                                                                PID:1028
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                2⤵
                                                                  PID:2924
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                  2⤵
                                                                  • Creates scheduled task(s)
                                                                  PID:2852
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                  2⤵
                                                                    PID:1628
                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                    2⤵
                                                                      PID:3008
                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                      2⤵
                                                                      • Creates scheduled task(s)
                                                                      PID:3092
                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                      2⤵
                                                                        PID:3136
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                        2⤵
                                                                        • Creates scheduled task(s)
                                                                        PID:3180
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                        2⤵
                                                                          PID:3224
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                          2⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:3264
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                          2⤵
                                                                            PID:3304
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                            2⤵
                                                                              PID:3352
                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                              2⤵
                                                                                PID:3380
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                2⤵
                                                                                  PID:3428
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                  2⤵
                                                                                    PID:3496
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                    2⤵
                                                                                      PID:3540
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                      2⤵
                                                                                      • Creates scheduled task(s)
                                                                                      PID:3580
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                      2⤵
                                                                                      • Creates scheduled task(s)
                                                                                      PID:3620
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                      2⤵
                                                                                        PID:3660
                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                        2⤵
                                                                                          PID:3700
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                          2⤵
                                                                                          • Creates scheduled task(s)
                                                                                          PID:3740
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                          2⤵
                                                                                          • Creates scheduled task(s)
                                                                                          PID:3780
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                          2⤵
                                                                                          • Creates scheduled task(s)
                                                                                          PID:3820
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                          2⤵
                                                                                          • Creates scheduled task(s)
                                                                                          PID:3860
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                          2⤵
                                                                                            PID:3900
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                            2⤵
                                                                                            • Creates scheduled task(s)
                                                                                            PID:3940
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                            2⤵
                                                                                            • Creates scheduled task(s)
                                                                                            PID:3992
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                            2⤵
                                                                                              PID:4032
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                              2⤵
                                                                                              • Creates scheduled task(s)
                                                                                              PID:4068
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                              2⤵
                                                                                              • Creates scheduled task(s)
                                                                                              PID:3152
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                              2⤵
                                                                                                PID:1092
                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                2⤵
                                                                                                  PID:3552
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                  2⤵
                                                                                                    PID:3832
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                    2⤵
                                                                                                      PID:1492
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                      2⤵
                                                                                                        PID:684
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                        2⤵
                                                                                                          PID:2428
                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                          2⤵
                                                                                                            PID:2352
                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                            2⤵
                                                                                                            • Creates scheduled task(s)
                                                                                                            PID:2416
                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                            2⤵
                                                                                                            • Creates scheduled task(s)
                                                                                                            PID:2240
                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                            2⤵
                                                                                                              PID:3576
                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                              2⤵
                                                                                                                PID:2376
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                2⤵
                                                                                                                • Creates scheduled task(s)
                                                                                                                PID:2472
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                2⤵
                                                                                                                  PID:1400
                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                  2⤵
                                                                                                                    PID:3256
                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                    2⤵
                                                                                                                      PID:3480
                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                      2⤵
                                                                                                                      • Creates scheduled task(s)
                                                                                                                      PID:2256
                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                      2⤵
                                                                                                                      • Creates scheduled task(s)
                                                                                                                      PID:2224
                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                      2⤵
                                                                                                                        PID:1112
                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                        2⤵
                                                                                                                        • Creates scheduled task(s)
                                                                                                                        PID:1912
                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                        2⤵
                                                                                                                        • Creates scheduled task(s)
                                                                                                                        PID:568
                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                        2⤵
                                                                                                                          PID:2192
                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                          2⤵
                                                                                                                            PID:3088
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                            2⤵
                                                                                                                            • Creates scheduled task(s)
                                                                                                                            PID:1764
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                            2⤵
                                                                                                                              PID:1088
                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                              2⤵
                                                                                                                                PID:968
                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                2⤵
                                                                                                                                  PID:776
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                  2⤵
                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                  PID:3128
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                  2⤵
                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                  PID:1448
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                  2⤵
                                                                                                                                    PID:2060
                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                    2⤵
                                                                                                                                      PID:2736
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                      2⤵
                                                                                                                                        PID:1616
                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                        2⤵
                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                        PID:1564
                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                        2⤵
                                                                                                                                          PID:2068
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                          2⤵
                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                          PID:1916
                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                          2⤵
                                                                                                                                            PID:2020
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                            2⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:1904
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                            2⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:2840
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                            2⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:1164
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                            2⤵
                                                                                                                                              PID:2144
                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                              2⤵
                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                              PID:3140
                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                              2⤵
                                                                                                                                                PID:3224
                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                2⤵
                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                PID:2932
                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                2⤵
                                                                                                                                                  PID:3668
                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                  2⤵
                                                                                                                                                    PID:1832
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                    2⤵
                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                    PID:3548
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                    2⤵
                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                    PID:3272
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2700
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1028
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                        2⤵
                                                                                                                                                          PID:2504
                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                          2⤵
                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                          PID:3108
                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                          2⤵
                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                          PID:3852
                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                          2⤵
                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                          PID:3012
                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
                                                                                                                                                          2⤵
                                                                                                                                                            PID:3884
                                                                                                                                                        • C:\Windows\system32\taskeng.exe
                                                                                                                                                          taskeng.exe {DA7ADA46-2F6A-40E6-B946-3443713F9D71} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
                                                                                                                                                          1⤵
                                                                                                                                                            PID:3412

                                                                                                                                                          Network

                                                                                                                                                          MITRE ATT&CK Enterprise v6

                                                                                                                                                          Replay Monitor

                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                          Downloads

                                                                                                                                                          • memory/392-73-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/472-80-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/524-70-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/556-82-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/980-84-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1012-69-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1028-122-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1128-121-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1140-91-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1164-71-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1188-87-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1196-74-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1292-92-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1368-81-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1416-77-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1480-85-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1488-59-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            384KB

                                                                                                                                                          • memory/1488-56-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            384KB

                                                                                                                                                          • memory/1488-61-0x000000000045A3DE-mapping.dmp

                                                                                                                                                          • memory/1488-63-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            384KB

                                                                                                                                                          • memory/1488-60-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            384KB

                                                                                                                                                          • memory/1488-55-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            384KB

                                                                                                                                                          • memory/1488-65-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            384KB

                                                                                                                                                          • memory/1488-58-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            384KB

                                                                                                                                                          • memory/1516-72-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1572-89-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1604-83-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1628-125-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1720-86-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1724-68-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1756-67-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1764-90-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1828-75-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1916-88-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8KB

                                                                                                                                                          • memory/2024-79-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2032-78-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2040-76-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2068-93-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2076-116-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2100-94-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2132-95-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2164-96-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2200-97-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2228-98-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2244-117-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2256-99-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2300-100-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2332-101-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2364-102-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2380-118-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2396-103-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2428-104-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2460-105-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2492-106-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2508-119-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2680-107-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2720-108-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2728-120-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2756-109-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2788-110-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2852-124-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2876-111-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2908-112-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2924-123-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2948-113-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/2992-114-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/3008-126-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/3036-115-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/3092-127-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/3136-128-0x0000000000000000-mapping.dmp

                                                                                                                                                          • memory/3180-129-0x0000000000000000-mapping.dmp