Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 15:32
Static task
static1
Behavioral task
behavioral1
Sample
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe
Resource
win10v2004-20220812-en
General
-
Target
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe
-
Size
1.2MB
-
MD5
7132076fe70278fbe2dda128cc366475
-
SHA1
2f855ab609d76ad9a0e82b57e7989a9a1860dd77
-
SHA256
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
-
SHA512
162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51
-
SSDEEP
24576:Dtb20pkACqT5TBWgNQ7ar+P2ZPGhv05szsKp6A:Arg5tQ7ar+TvBf5
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr112.exe,explorer.exe" 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe -
Executes dropped EXE 2 IoCs
Processes:
winmgr112.exewinmgr112.exepid process 2864 winmgr112.exe 5380 winmgr112.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe autoit_exe C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe autoit_exe C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exedescription pid process target process PID 4464 set thread context of 4844 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe -
Drops file in Windows directory 3 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3268 schtasks.exe 4960 schtasks.exe 1904 schtasks.exe 3916 schtasks.exe 1404 schtasks.exe 3632 schtasks.exe 2236 schtasks.exe 2320 schtasks.exe 1552 schtasks.exe 1424 schtasks.exe 4936 schtasks.exe 5620 schtasks.exe 5840 schtasks.exe 1836 schtasks.exe 3812 schtasks.exe 3148 schtasks.exe 5200 schtasks.exe 1316 schtasks.exe 3928 schtasks.exe 756 schtasks.exe 3408 schtasks.exe 5424 schtasks.exe 4992 schtasks.exe 2860 schtasks.exe 4964 schtasks.exe 2468 schtasks.exe 4136 schtasks.exe 4160 schtasks.exe 5256 schtasks.exe 5520 schtasks.exe 4924 schtasks.exe 3644 schtasks.exe 6052 schtasks.exe 1212 schtasks.exe 3456 schtasks.exe 1896 schtasks.exe 4416 schtasks.exe 3056 schtasks.exe 6040 schtasks.exe 3404 schtasks.exe 1704 schtasks.exe 6132 schtasks.exe 5104 schtasks.exe 4780 schtasks.exe 1028 schtasks.exe 1416 schtasks.exe 3628 schtasks.exe 3456 schtasks.exe 3640 schtasks.exe 4552 schtasks.exe 4516 schtasks.exe 1636 schtasks.exe 5500 schtasks.exe 2664 schtasks.exe 5548 schtasks.exe 3628 schtasks.exe 648 schtasks.exe 5872 schtasks.exe 932 schtasks.exe 4904 schtasks.exe 3264 schtasks.exe 1104 schtasks.exe 4204 schtasks.exe 1904 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exepid process 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 4844 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 4844 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 4844 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exedescription pid process target process PID 4464 wrote to memory of 4844 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 4464 wrote to memory of 4844 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 4464 wrote to memory of 4844 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 4464 wrote to memory of 4844 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 4464 wrote to memory of 4844 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 4464 wrote to memory of 4844 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 4464 wrote to memory of 4844 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 4464 wrote to memory of 4844 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 4464 wrote to memory of 4928 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4928 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4928 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4780 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4780 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4780 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1028 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1028 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1028 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3456 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3456 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3456 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 2896 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 2896 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 2896 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3404 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3404 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3404 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4192 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4192 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4192 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3928 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3928 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3928 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3564 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3564 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3564 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4232 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4232 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4232 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 636 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 636 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 636 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4848 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4848 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4848 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1664 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1664 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1664 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3212 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3212 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3212 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1008 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1008 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1008 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1564 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1564 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1564 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3628 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3628 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 3628 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1996 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1996 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 1996 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4260 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 4464 wrote to memory of 4260 4464 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4928
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4780 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1028
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3456 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2896
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3404 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4192
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3928 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3564
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4232
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:636
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4848
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1664
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3212
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1008
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1564
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3628 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1996
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4260
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:8
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3640 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3088
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4408
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3964
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4936 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3604
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4552 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:756
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1900
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4980
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3892
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3584
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2468 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:944
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3736
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1124
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2080
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3476
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3264
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2116
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3404
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4344
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:920
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1704 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1668
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2672
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1416 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4672
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1896 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2488
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1552 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3628 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2540
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:932
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2868
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2236 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4924 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3936
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3392
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1288
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3436
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2520
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:648 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1028 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1252
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4160
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4904 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4868
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4644
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:956
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2320 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3368
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3644 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4756
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4136 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2548
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3632 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1476
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2728
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4204 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1144
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:728
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2284
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2128
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3264 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1532
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4992 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2860 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3812 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2416
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3268 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:756 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1808
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4160 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3668
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4416 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3088
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1424 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3056 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4396
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4876
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4080
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4516 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3148
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4960 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1140
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1904 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3424
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1412
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1172
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1636 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1836 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4912
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5144
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5200 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5256 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5312
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5412
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5480
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5548
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5620 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5700
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5776
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5840 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5900
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5952
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:6016
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:6076
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:6132 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5332
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5500 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:784
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2556
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2632
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4952
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1668
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2520
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3300
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3476
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4412
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5540
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3464
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5036
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1144
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:4964 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3468
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3068
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3456 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4756
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5872 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2664 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3148 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4968
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3016
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5548 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4472
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5648
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5520 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5348
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:448
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5752
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3652
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5260
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4544
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1892
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4228
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5784
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1904 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4528
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2192
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3408 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2776
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3316
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1104 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5976
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5392
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:6052 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:6112
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5856
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5736
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4288
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:688
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3712
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4780
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1984
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1668
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3916 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5684
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5132
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5356
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2260
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5688
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4324
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1316 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3212
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3052
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5292
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1404 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3260
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:780
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5880
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1848
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:636
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:932 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2936
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5984
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:4344
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2060
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:628
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3404
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5740
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3016
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5516
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5624
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:6040 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5104 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1212 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:3984
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2332
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:5424 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5448
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:5780
-
C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exeC:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe1⤵
- Executes dropped EXE
PID:2864
-
C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exeC:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe1⤵
- Executes dropped EXE
PID:5380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD57132076fe70278fbe2dda128cc366475
SHA12f855ab609d76ad9a0e82b57e7989a9a1860dd77
SHA2563595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
SHA512162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51
-
Filesize
1.2MB
MD57132076fe70278fbe2dda128cc366475
SHA12f855ab609d76ad9a0e82b57e7989a9a1860dd77
SHA2563595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
SHA512162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51
-
Filesize
1.2MB
MD57132076fe70278fbe2dda128cc366475
SHA12f855ab609d76ad9a0e82b57e7989a9a1860dd77
SHA2563595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
SHA512162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51