Analysis Overview
SHA256
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
Threat Level: Known bad
The file 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Imminent RAT
Executes dropped EXE
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Windows directory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-29 15:32
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-29 15:32
Reported
2022-10-29 21:37
Platform
win7-20220812-en
Max time kernel
86s
Max time network
46s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr112.exe,explorer.exe" | C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1504 set thread context of 848 | N/A | C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe
"C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
Network
Files
memory/1504-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp
memory/848-55-0x0000000000400000-0x000000000044A000-memory.dmp
memory/848-56-0x0000000000400000-0x000000000044A000-memory.dmp
memory/848-58-0x0000000000400000-0x000000000044A000-memory.dmp
memory/848-59-0x0000000000400000-0x000000000044A000-memory.dmp
memory/848-60-0x0000000000400000-0x000000000044A000-memory.dmp
memory/848-61-0x000000000044557E-mapping.dmp
memory/848-63-0x0000000000400000-0x000000000044A000-memory.dmp
memory/848-65-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1044-67-0x0000000000000000-mapping.dmp
memory/2016-68-0x0000000000000000-mapping.dmp
memory/1976-69-0x0000000000000000-mapping.dmp
memory/888-70-0x0000000000000000-mapping.dmp
memory/1180-71-0x0000000000000000-mapping.dmp
memory/556-72-0x0000000000000000-mapping.dmp
memory/1896-73-0x0000000000000000-mapping.dmp
memory/1288-74-0x0000000000000000-mapping.dmp
memory/1648-75-0x0000000000000000-mapping.dmp
memory/1644-76-0x0000000000000000-mapping.dmp
memory/1940-77-0x0000000000000000-mapping.dmp
memory/1668-78-0x0000000000000000-mapping.dmp
memory/584-79-0x0000000000000000-mapping.dmp
memory/300-80-0x0000000000000000-mapping.dmp
memory/1500-81-0x0000000000000000-mapping.dmp
memory/664-82-0x0000000000000000-mapping.dmp
memory/572-83-0x0000000000000000-mapping.dmp
memory/1560-84-0x0000000000000000-mapping.dmp
memory/2036-85-0x0000000000000000-mapping.dmp
memory/1488-86-0x0000000000000000-mapping.dmp
memory/1036-87-0x0000000000000000-mapping.dmp
memory/768-88-0x0000000000000000-mapping.dmp
memory/1352-89-0x0000000000000000-mapping.dmp
memory/1920-90-0x0000000000000000-mapping.dmp
memory/316-91-0x0000000000000000-mapping.dmp
memory/628-92-0x0000000000000000-mapping.dmp
memory/2056-93-0x0000000000000000-mapping.dmp
memory/2088-94-0x0000000000000000-mapping.dmp
memory/2120-95-0x0000000000000000-mapping.dmp
memory/2152-96-0x0000000000000000-mapping.dmp
memory/2184-97-0x0000000000000000-mapping.dmp
memory/2216-98-0x0000000000000000-mapping.dmp
memory/2248-99-0x0000000000000000-mapping.dmp
memory/2280-100-0x0000000000000000-mapping.dmp
memory/2312-101-0x0000000000000000-mapping.dmp
memory/2344-102-0x0000000000000000-mapping.dmp
memory/2376-103-0x0000000000000000-mapping.dmp
memory/2408-104-0x0000000000000000-mapping.dmp
memory/2440-105-0x0000000000000000-mapping.dmp
memory/2472-106-0x0000000000000000-mapping.dmp
memory/2504-107-0x0000000000000000-mapping.dmp
memory/2548-108-0x0000000000000000-mapping.dmp
memory/2576-109-0x0000000000000000-mapping.dmp
memory/2604-110-0x0000000000000000-mapping.dmp
memory/2644-111-0x0000000000000000-mapping.dmp
memory/2676-112-0x0000000000000000-mapping.dmp
memory/2708-113-0x0000000000000000-mapping.dmp
memory/2740-114-0x0000000000000000-mapping.dmp
memory/2948-115-0x0000000000000000-mapping.dmp
memory/2988-116-0x0000000000000000-mapping.dmp
memory/3020-117-0x0000000000000000-mapping.dmp
memory/2384-118-0x0000000000000000-mapping.dmp
memory/2512-119-0x0000000000000000-mapping.dmp
memory/2660-120-0x0000000000000000-mapping.dmp
memory/2756-121-0x0000000000000000-mapping.dmp
memory/3004-122-0x0000000000000000-mapping.dmp
memory/1904-123-0x0000000000000000-mapping.dmp
memory/2568-124-0x0000000000000000-mapping.dmp
memory/1896-125-0x0000000000000000-mapping.dmp
memory/924-126-0x0000000000000000-mapping.dmp
memory/2656-127-0x0000000000000000-mapping.dmp
memory/3104-128-0x0000000000000000-mapping.dmp
memory/3132-129-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-29 15:32
Reported
2022-10-29 21:37
Platform
win10v2004-20220812-en
Max time kernel
152s
Max time network
152s
Command Line
Signatures
Imminent RAT
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr112.exe,explorer.exe" | C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4464 set thread context of 4844 | N/A | C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe
"C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe
C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe
C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| DE | 51.116.253.168:443 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
| US | 8.8.8.8:53 | melonhead361.mooo.com | udp |
Files
memory/4844-132-0x0000000000000000-mapping.dmp
memory/4844-133-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4928-134-0x0000000000000000-mapping.dmp
memory/4780-135-0x0000000000000000-mapping.dmp
memory/4844-136-0x0000000072FF0000-0x00000000735A1000-memory.dmp
memory/1028-137-0x0000000000000000-mapping.dmp
memory/3456-138-0x0000000000000000-mapping.dmp
memory/2896-139-0x0000000000000000-mapping.dmp
memory/3404-140-0x0000000000000000-mapping.dmp
memory/4192-141-0x0000000000000000-mapping.dmp
memory/3928-142-0x0000000000000000-mapping.dmp
memory/3564-143-0x0000000000000000-mapping.dmp
memory/4232-144-0x0000000000000000-mapping.dmp
memory/636-145-0x0000000000000000-mapping.dmp
memory/4848-146-0x0000000000000000-mapping.dmp
memory/1664-147-0x0000000000000000-mapping.dmp
memory/3212-148-0x0000000000000000-mapping.dmp
memory/1008-149-0x0000000000000000-mapping.dmp
memory/1564-150-0x0000000000000000-mapping.dmp
memory/3628-151-0x0000000000000000-mapping.dmp
memory/1996-152-0x0000000000000000-mapping.dmp
memory/4844-153-0x0000000072FF0000-0x00000000735A1000-memory.dmp
memory/4260-154-0x0000000000000000-mapping.dmp
memory/8-155-0x0000000000000000-mapping.dmp
memory/3640-156-0x0000000000000000-mapping.dmp
memory/3088-157-0x0000000000000000-mapping.dmp
memory/4408-158-0x0000000000000000-mapping.dmp
memory/3964-159-0x0000000000000000-mapping.dmp
memory/4936-160-0x0000000000000000-mapping.dmp
memory/3604-161-0x0000000000000000-mapping.dmp
memory/4552-162-0x0000000000000000-mapping.dmp
memory/756-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe
| MD5 | 7132076fe70278fbe2dda128cc366475 |
| SHA1 | 2f855ab609d76ad9a0e82b57e7989a9a1860dd77 |
| SHA256 | 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9 |
| SHA512 | 162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51 |
C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe
| MD5 | 7132076fe70278fbe2dda128cc366475 |
| SHA1 | 2f855ab609d76ad9a0e82b57e7989a9a1860dd77 |
| SHA256 | 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9 |
| SHA512 | 162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51 |
memory/1900-166-0x0000000000000000-mapping.dmp
memory/4980-167-0x0000000000000000-mapping.dmp
memory/3892-168-0x0000000000000000-mapping.dmp
memory/3584-169-0x0000000000000000-mapping.dmp
memory/2468-170-0x0000000000000000-mapping.dmp
memory/944-171-0x0000000000000000-mapping.dmp
memory/3736-172-0x0000000000000000-mapping.dmp
memory/1124-173-0x0000000000000000-mapping.dmp
memory/2080-174-0x0000000000000000-mapping.dmp
memory/3476-175-0x0000000000000000-mapping.dmp
memory/3264-176-0x0000000000000000-mapping.dmp
memory/2116-177-0x0000000000000000-mapping.dmp
memory/3404-178-0x0000000000000000-mapping.dmp
memory/4344-179-0x0000000000000000-mapping.dmp
memory/920-180-0x0000000000000000-mapping.dmp
memory/1704-181-0x0000000000000000-mapping.dmp
memory/1668-182-0x0000000000000000-mapping.dmp
memory/2672-183-0x0000000000000000-mapping.dmp
memory/1416-184-0x0000000000000000-mapping.dmp
memory/4672-185-0x0000000000000000-mapping.dmp
memory/1896-186-0x0000000000000000-mapping.dmp
memory/2488-187-0x0000000000000000-mapping.dmp
memory/1552-188-0x0000000000000000-mapping.dmp
memory/3628-189-0x0000000000000000-mapping.dmp
memory/2540-190-0x0000000000000000-mapping.dmp
memory/932-191-0x0000000000000000-mapping.dmp
memory/2868-192-0x0000000000000000-mapping.dmp
memory/2236-193-0x0000000000000000-mapping.dmp
memory/4924-194-0x0000000000000000-mapping.dmp
memory/3936-195-0x0000000000000000-mapping.dmp
memory/3392-196-0x0000000000000000-mapping.dmp
memory/1288-197-0x0000000000000000-mapping.dmp
memory/3436-198-0x0000000000000000-mapping.dmp
memory/2520-199-0x0000000000000000-mapping.dmp
memory/648-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe
| MD5 | 7132076fe70278fbe2dda128cc366475 |
| SHA1 | 2f855ab609d76ad9a0e82b57e7989a9a1860dd77 |
| SHA256 | 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9 |
| SHA512 | 162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51 |