Analysis Overview
SHA256
ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2
Threat Level: Known bad
The file ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Modifies WinLogon for persistence
Drops desktop.ini file(s)
AutoIT Executable
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-01 23:11
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-01 23:11
Reported
2022-10-02 01:30
Platform
win7-20220812-en
Max time kernel
152s
Max time network
47s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr119.exe,explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1940 set thread context of 1488 | N/A | C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe
"C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\system32\taskeng.exe
taskeng.exe {DA7ADA46-2F6A-40E6-B946-3443713F9D71} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
Network
Files
memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp
memory/1488-55-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1488-56-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1488-58-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1488-59-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1488-60-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1488-61-0x000000000045A3DE-mapping.dmp
memory/1488-63-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1488-65-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1756-67-0x0000000000000000-mapping.dmp
memory/1724-68-0x0000000000000000-mapping.dmp
memory/1012-69-0x0000000000000000-mapping.dmp
memory/524-70-0x0000000000000000-mapping.dmp
memory/1164-71-0x0000000000000000-mapping.dmp
memory/1516-72-0x0000000000000000-mapping.dmp
memory/392-73-0x0000000000000000-mapping.dmp
memory/1196-74-0x0000000000000000-mapping.dmp
memory/1828-75-0x0000000000000000-mapping.dmp
memory/2040-76-0x0000000000000000-mapping.dmp
memory/1416-77-0x0000000000000000-mapping.dmp
memory/2032-78-0x0000000000000000-mapping.dmp
memory/2024-79-0x0000000000000000-mapping.dmp
memory/472-80-0x0000000000000000-mapping.dmp
memory/1368-81-0x0000000000000000-mapping.dmp
memory/556-82-0x0000000000000000-mapping.dmp
memory/1604-83-0x0000000000000000-mapping.dmp
memory/980-84-0x0000000000000000-mapping.dmp
memory/1480-85-0x0000000000000000-mapping.dmp
memory/1720-86-0x0000000000000000-mapping.dmp
memory/1188-87-0x0000000000000000-mapping.dmp
memory/1916-88-0x0000000000000000-mapping.dmp
memory/1572-89-0x0000000000000000-mapping.dmp
memory/1764-90-0x0000000000000000-mapping.dmp
memory/1140-91-0x0000000000000000-mapping.dmp
memory/1292-92-0x0000000000000000-mapping.dmp
memory/2068-93-0x0000000000000000-mapping.dmp
memory/2100-94-0x0000000000000000-mapping.dmp
memory/2132-95-0x0000000000000000-mapping.dmp
memory/2164-96-0x0000000000000000-mapping.dmp
memory/2200-97-0x0000000000000000-mapping.dmp
memory/2228-98-0x0000000000000000-mapping.dmp
memory/2256-99-0x0000000000000000-mapping.dmp
memory/2300-100-0x0000000000000000-mapping.dmp
memory/2332-101-0x0000000000000000-mapping.dmp
memory/2364-102-0x0000000000000000-mapping.dmp
memory/2396-103-0x0000000000000000-mapping.dmp
memory/2428-104-0x0000000000000000-mapping.dmp
memory/2460-105-0x0000000000000000-mapping.dmp
memory/2492-106-0x0000000000000000-mapping.dmp
memory/2680-107-0x0000000000000000-mapping.dmp
memory/2720-108-0x0000000000000000-mapping.dmp
memory/2756-109-0x0000000000000000-mapping.dmp
memory/2788-110-0x0000000000000000-mapping.dmp
memory/2876-111-0x0000000000000000-mapping.dmp
memory/2908-112-0x0000000000000000-mapping.dmp
memory/2948-113-0x0000000000000000-mapping.dmp
memory/2992-114-0x0000000000000000-mapping.dmp
memory/3036-115-0x0000000000000000-mapping.dmp
memory/2076-116-0x0000000000000000-mapping.dmp
memory/2244-117-0x0000000000000000-mapping.dmp
memory/2380-118-0x0000000000000000-mapping.dmp
memory/2508-119-0x0000000000000000-mapping.dmp
memory/2728-120-0x0000000000000000-mapping.dmp
memory/1128-121-0x0000000000000000-mapping.dmp
memory/1028-122-0x0000000000000000-mapping.dmp
memory/2924-123-0x0000000000000000-mapping.dmp
memory/2852-124-0x0000000000000000-mapping.dmp
memory/1628-125-0x0000000000000000-mapping.dmp
memory/3008-126-0x0000000000000000-mapping.dmp
memory/3092-127-0x0000000000000000-mapping.dmp
memory/3136-128-0x0000000000000000-mapping.dmp
memory/3180-129-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-01 23:11
Reported
2022-10-02 01:30
Platform
win10v2004-20220812-en
Max time kernel
153s
Max time network
165s
Command Line
Signatures
Imminent RAT
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr119.exe,explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1960 set thread context of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe
"C:\Users\Admin\AppData\Local\Temp\ef399fead4a7158e1df3c8545e7db50abcf38da47e381351523fa01c2f6b8bd2.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr119.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.238.20.126:80 | tcp | |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.238.20.126:80 | tcp | |
| US | 8.247.210.126:80 | tcp | |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 20.42.65.84:443 | tcp | |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.247.211.126:80 | tcp | |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
| US | 8.8.8.8:53 | wizardsquad.no-ip.biz | udp |
Files
memory/2284-132-0x0000000000000000-mapping.dmp
memory/2284-133-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4680-134-0x0000000000000000-mapping.dmp
memory/4880-135-0x0000000000000000-mapping.dmp
memory/2284-137-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-138-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-139-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-140-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-142-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-143-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-141-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-145-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-147-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-148-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-151-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-153-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-154-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-156-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2284-157-0x0000000073E20000-0x00000000743D1000-memory.dmp
memory/4920-158-0x0000000000000000-mapping.dmp
memory/2040-159-0x0000000000000000-mapping.dmp
memory/536-160-0x0000000000000000-mapping.dmp
memory/4852-161-0x0000000000000000-mapping.dmp
memory/1476-162-0x0000000000000000-mapping.dmp
memory/1576-163-0x0000000000000000-mapping.dmp
memory/3200-164-0x0000000000000000-mapping.dmp
memory/4460-165-0x0000000000000000-mapping.dmp
memory/2412-166-0x0000000000000000-mapping.dmp
memory/4628-167-0x0000000000000000-mapping.dmp
memory/2196-168-0x0000000000000000-mapping.dmp
memory/4512-169-0x0000000000000000-mapping.dmp
memory/3688-170-0x0000000000000000-mapping.dmp
memory/4488-171-0x0000000000000000-mapping.dmp
memory/1772-172-0x0000000000000000-mapping.dmp
memory/4296-173-0x0000000000000000-mapping.dmp
memory/2284-174-0x0000000073E20000-0x00000000743D1000-memory.dmp
memory/672-175-0x0000000000000000-mapping.dmp
memory/4748-176-0x0000000000000000-mapping.dmp
memory/4616-177-0x0000000000000000-mapping.dmp
memory/2340-178-0x0000000000000000-mapping.dmp
memory/1736-179-0x0000000000000000-mapping.dmp
memory/2712-180-0x0000000000000000-mapping.dmp
memory/2136-181-0x0000000000000000-mapping.dmp
memory/4464-182-0x0000000000000000-mapping.dmp
memory/3280-183-0x0000000000000000-mapping.dmp
memory/4500-184-0x0000000000000000-mapping.dmp
memory/4876-185-0x0000000000000000-mapping.dmp
memory/3284-186-0x0000000000000000-mapping.dmp
memory/4084-187-0x0000000000000000-mapping.dmp
memory/4756-188-0x0000000000000000-mapping.dmp
memory/2464-189-0x0000000000000000-mapping.dmp
memory/1196-190-0x0000000000000000-mapping.dmp
memory/4000-191-0x0000000000000000-mapping.dmp
memory/308-192-0x0000000000000000-mapping.dmp
memory/5064-193-0x0000000000000000-mapping.dmp
memory/972-194-0x0000000000000000-mapping.dmp
memory/2308-195-0x0000000000000000-mapping.dmp
memory/1856-196-0x0000000000000000-mapping.dmp
memory/3732-197-0x0000000000000000-mapping.dmp
memory/4908-198-0x0000000000000000-mapping.dmp
memory/700-199-0x0000000000000000-mapping.dmp
memory/1576-200-0x0000000000000000-mapping.dmp
memory/2364-201-0x0000000000000000-mapping.dmp
memory/3444-202-0x0000000000000000-mapping.dmp
memory/344-203-0x0000000000000000-mapping.dmp
memory/4132-204-0x0000000000000000-mapping.dmp
memory/3836-205-0x0000000000000000-mapping.dmp
memory/1672-206-0x0000000000000000-mapping.dmp
memory/2612-207-0x0000000000000000-mapping.dmp
memory/1912-208-0x0000000000000000-mapping.dmp
memory/3872-209-0x0000000000000000-mapping.dmp
memory/1940-210-0x0000000000000000-mapping.dmp
memory/1276-211-0x0000000000000000-mapping.dmp
memory/1216-212-0x0000000000000000-mapping.dmp
memory/736-213-0x0000000000000000-mapping.dmp
memory/1232-214-0x0000000000000000-mapping.dmp
memory/1660-215-0x0000000000000000-mapping.dmp
memory/2404-216-0x0000000000000000-mapping.dmp
memory/1668-217-0x0000000000000000-mapping.dmp
memory/4648-218-0x0000000000000000-mapping.dmp
memory/1656-219-0x0000000000000000-mapping.dmp