Analysis
-
max time kernel
153s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 23:11
Static task
static1
Behavioral task
behavioral1
Sample
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe
Resource
win10v2004-20220812-en
General
-
Target
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe
-
Size
1.4MB
-
MD5
7ce5f7a405d6b2cb65226f9a471dc690
-
SHA1
d2ff0b3f6288da4b0fb3f31085df7d2eb34ba524
-
SHA256
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2
-
SHA512
97d71eb030df7ede2c4683117d7fc2fbf9831c6a166ca8e69c4037a739b8220454e6ca752061fe9f629a22586d1066be3f986b5dd97b2f8358a09bbda7d3128a
-
SSDEEP
24576:dtb20pkACqT5TBWgNQ7a0I1VP+oB8pRIlYWtB5aOsZ6A:Org5tQ7aBTPMIlY2b45
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr119.exe,explorer.exe" ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exedescription pid process target process PID 1960 set thread context of 2284 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe -
Drops file in Windows directory 3 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4084 schtasks.exe 1576 schtasks.exe 2472 schtasks.exe 2652 schtasks.exe 4460 schtasks.exe 2876 schtasks.exe 4488 schtasks.exe 972 schtasks.exe 1480 schtasks.exe 2612 schtasks.exe 4852 schtasks.exe 1912 schtasks.exe 736 schtasks.exe 2492 schtasks.exe 4232 schtasks.exe 3148 schtasks.exe 5012 schtasks.exe 4628 schtasks.exe 672 schtasks.exe 3284 schtasks.exe 4000 schtasks.exe 1364 schtasks.exe 384 schtasks.exe 4880 schtasks.exe 4512 schtasks.exe 3848 schtasks.exe 4404 schtasks.exe 3420 schtasks.exe 3280 schtasks.exe 3388 schtasks.exe 3792 schtasks.exe 1656 schtasks.exe 5112 schtasks.exe 3184 schtasks.exe 3932 schtasks.exe 1464 schtasks.exe 3676 schtasks.exe 4500 schtasks.exe 4500 schtasks.exe 1216 schtasks.exe 4980 schtasks.exe 2512 schtasks.exe 308 schtasks.exe 2232 schtasks.exe 1276 schtasks.exe 1084 schtasks.exe 4732 schtasks.exe 4992 schtasks.exe 2712 schtasks.exe 2792 schtasks.exe 3024 schtasks.exe 4796 schtasks.exe 1364 schtasks.exe 1648 schtasks.exe 3184 schtasks.exe 2780 schtasks.exe 3872 schtasks.exe 3328 schtasks.exe 3440 schtasks.exe 1856 schtasks.exe 3732 schtasks.exe 4524 schtasks.exe 4920 schtasks.exe 4596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exepid process 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2284 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2284 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 2284 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exedescription pid process target process PID 1960 wrote to memory of 2284 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1960 wrote to memory of 2284 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1960 wrote to memory of 2284 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1960 wrote to memory of 2284 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1960 wrote to memory of 2284 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1960 wrote to memory of 2284 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1960 wrote to memory of 2284 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1960 wrote to memory of 2284 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe RegAsm.exe PID 1960 wrote to memory of 4680 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4680 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4680 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4880 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4880 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4880 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4920 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4920 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4920 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 2040 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 2040 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 2040 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 536 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 536 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 536 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4852 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4852 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4852 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 1476 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 1476 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 1476 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 1576 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 1576 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 1576 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 3200 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 3200 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 3200 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4460 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4460 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4460 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 2412 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 2412 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 2412 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4628 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4628 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4628 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 2196 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 2196 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 2196 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4512 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4512 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4512 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 3688 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 3688 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 3688 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4488 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4488 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4488 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 1772 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 1772 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 1772 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4296 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4296 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 4296 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 672 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe PID 1960 wrote to memory of 672 1960 ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe"C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2284
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4680
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4880
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4920
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:536
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4852
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1476
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1576
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3200
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4460
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2412
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4628
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2196
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4512
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3688
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4488
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1772
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4296
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:672
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4748
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4616
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2340
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1736
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2712
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2136
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4464
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3280
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4500
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4876
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3284
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4084
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4756
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2464
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1196
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4000
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:308
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:5064
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:972
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2308
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1856
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3732
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4908
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:700
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1576
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2364
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3444
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:344
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4132
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3836
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1672
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2612
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1912
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3872
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1940
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1276
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1216
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:736
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1232
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1660
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2404
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1668
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4648
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1656
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3600
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:376
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2472
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3708
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1148
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4220
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4596
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1620
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1084
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2652
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3388
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2512
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3192
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2780
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3376
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2656
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2180
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4128
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1216
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4288
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1712
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4868
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2388
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4980
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3456
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4532
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3328
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:5064
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4140
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1284
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1528
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4580
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2952
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3848
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1564
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:700
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:640
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2312
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4476
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2340
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2300
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1364
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3120
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4344
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4076
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:5112
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4468
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1660
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4032
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4800
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2460
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2560
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1464
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4648
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4460
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1112
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:376
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1648
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2228
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4892
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2248
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:972
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3132
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1084
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4116
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3848
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4732
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4704
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2492
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3660
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2792
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4208
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4604
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4232
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4076
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:5036
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4024
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4040
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1452
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1672
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2796
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4992
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:384
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:880
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:228
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2212
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4832
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4996
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3248
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3148
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4168
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1148
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3184
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2624
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3692
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4896
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3276
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4496
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2220
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3932
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3032
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4488
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1736
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3504
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1364
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:812
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3992
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3604
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:344
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:1480
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:828
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2172
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4000
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2388
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4308
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2212
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:384
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:5108
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4816
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3676
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4404
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1164
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2232
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3184
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:956
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4524
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3816
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3440
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1084
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2780
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4628
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1992
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2220
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:5012
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1168
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3932
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3600
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3084
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:5072
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3024
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:892
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3420
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:5080
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2056
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2876
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4500
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1356
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3536
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4024
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1824
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4448
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1660
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3616
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4968
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2496
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3180
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:696
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3736
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4524
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4092
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1272
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:4796
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:3792
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4700
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:672
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:3500
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵
- Creates scheduled task(s)
PID:2612
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:928
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:2708
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:1992
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:4904
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f2⤵PID:640
-