Analysis
-
max time kernel
152s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 23:11
Static task
static1
Behavioral task
behavioral1
Sample
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe
Resource
win10v2004-20220812-en
General
-
Target
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe
-
Size
1.4MB
-
MD5
7ce5f7a405d6b2cb65226f9a471dc690
-
SHA1
d2ff0b3f6288da4b0fb3f31085df7d2eb34ba524
-
SHA256
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2
-
SHA512
97d71eb030df7ede2c4683117d7fc2fbf9831c6a166ca8e69c4037a739b8220454e6ca752061fe9f629a22586d1066be3f986b5dd97b2f8358a09bbda7d3128a
-
SSDEEP
24576:dtb20pkACqT5TBWgNQ7a0I1VP+oB8pRIlYWtB5aOsZ6A:Org5tQ7aBTPMIlY2b45
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr119.exe,explorer.exe" ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exedescription pid process target process PID 1940 set thread context of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1188 schtasks.exe 2300 schtasks.exe 3180 schtasks.exe 3940 schtasks.exe 2932 schtasks.exe 1164 schtasks.exe 568 schtasks.exe 2840 schtasks.exe 1164 schtasks.exe 2380 schtasks.exe 3092 schtasks.exe 3620 schtasks.exe 1448 schtasks.exe 1572 schtasks.exe 2100 schtasks.exe 2876 schtasks.exe 2908 schtasks.exe 2068 schtasks.exe 1904 schtasks.exe 3272 schtasks.exe 2332 schtasks.exe 2788 schtasks.exe 2076 schtasks.exe 3264 schtasks.exe 1516 schtasks.exe 1916 schtasks.exe 2164 schtasks.exe 2200 schtasks.exe 3992 schtasks.exe 2224 schtasks.exe 1564 schtasks.exe 2396 schtasks.exe 3860 schtasks.exe 1912 schtasks.exe 1416 schtasks.exe 1480 schtasks.exe 392 schtasks.exe 3128 schtasks.exe 3108 schtasks.exe 3820 schtasks.exe 4068 schtasks.exe 1764 schtasks.exe 3852 schtasks.exe 3012 schtasks.exe 1368 schtasks.exe 1292 schtasks.exe 2680 schtasks.exe 3548 schtasks.exe 1828 schtasks.exe 980 schtasks.exe 2472 schtasks.exe 3140 schtasks.exe 2852 schtasks.exe 3152 schtasks.exe 2240 schtasks.exe 1724 schtasks.exe 2256 schtasks.exe 3580 schtasks.exe 3780 schtasks.exe 2756 schtasks.exe 1916 schtasks.exe 3740 schtasks.exe 2416 schtasks.exe 2256 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exepid process 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exedescription pid process target process PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1488 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1940 wrote to memory of 1756 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1756 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1756 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1756 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1724 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1724 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1724 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1724 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1012 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1012 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1012 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1012 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 524 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 524 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 524 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 524 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1164 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1164 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1164 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1164 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1516 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1516 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1516 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1516 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 392 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 392 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 392 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 392 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1196 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1196 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1196 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1196 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1828 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1828 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1828 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1828 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2040 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2040 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2040 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2040 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1416 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1416 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1416 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 1416 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2032 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2032 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2032 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2032 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2024 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2024 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2024 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1940 wrote to memory of 2024 1940 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe"C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:1488
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1756
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1724
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1012
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:524
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1164
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1516
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:392
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1196
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1828
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1416
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2032
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2024
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:472
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1368
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:556
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1604
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:980
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1480
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1720
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1188
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1916
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1572
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1764
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1140
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1292
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2068
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2100
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2132
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2164
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2200
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2228
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2256
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2300
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2332
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2364
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2396
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2428
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2460
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2492
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2680
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2720
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2756
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2788
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2876
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2908
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2948
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2992
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3036
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2076
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2244
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2380
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2508
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2728
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1128
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1028
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2924
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2852
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1628
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3008
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3092
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3136
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3180
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3224
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3264
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3304
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3352
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3380
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3428
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3496
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3540
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3580
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3620
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3660
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3700
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3740
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3780
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3820
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3860
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3900
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3940
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3992
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4032
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4068
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3152
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1092
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3552
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3832
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1492
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:684
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2428
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2352
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2416
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2240
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3576
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2376
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2472
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1400
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3256
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3480
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2256
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2224
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1112
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1912
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:568
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2192
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3088
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1764
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1088
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:968
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:776
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3128
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1448
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2060
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2736
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1616
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1564
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2068
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1916
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2020
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1904
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2840
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1164
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2144
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3140
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3224
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2932
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3668
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1832
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3548
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3272
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2700
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1028
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2504
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3108
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3852
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3012
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3884
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DA7ADA46-2F6A-40E6-B946-3443713F9D71} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵PID:3412