Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-sysqmscec4
Target 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
SHA256 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
Tags
persistence imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9

Threat Level: Known bad

The file 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9 was found to be: Known bad.

Malicious Activity Summary

persistence imminent spyware trojan

Modifies WinLogon for persistence

Imminent RAT

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 15:32

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 15:32

Reported

2022-10-29 21:37

Platform

win7-20220812-en

Max time kernel

86s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr112.exe,explorer.exe" C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1504 set thread context of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1504 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1504 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe

"C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

Network

N/A

Files

memory/1504-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

memory/848-55-0x0000000000400000-0x000000000044A000-memory.dmp

memory/848-56-0x0000000000400000-0x000000000044A000-memory.dmp

memory/848-58-0x0000000000400000-0x000000000044A000-memory.dmp

memory/848-59-0x0000000000400000-0x000000000044A000-memory.dmp

memory/848-60-0x0000000000400000-0x000000000044A000-memory.dmp

memory/848-61-0x000000000044557E-mapping.dmp

memory/848-63-0x0000000000400000-0x000000000044A000-memory.dmp

memory/848-65-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1044-67-0x0000000000000000-mapping.dmp

memory/2016-68-0x0000000000000000-mapping.dmp

memory/1976-69-0x0000000000000000-mapping.dmp

memory/888-70-0x0000000000000000-mapping.dmp

memory/1180-71-0x0000000000000000-mapping.dmp

memory/556-72-0x0000000000000000-mapping.dmp

memory/1896-73-0x0000000000000000-mapping.dmp

memory/1288-74-0x0000000000000000-mapping.dmp

memory/1648-75-0x0000000000000000-mapping.dmp

memory/1644-76-0x0000000000000000-mapping.dmp

memory/1940-77-0x0000000000000000-mapping.dmp

memory/1668-78-0x0000000000000000-mapping.dmp

memory/584-79-0x0000000000000000-mapping.dmp

memory/300-80-0x0000000000000000-mapping.dmp

memory/1500-81-0x0000000000000000-mapping.dmp

memory/664-82-0x0000000000000000-mapping.dmp

memory/572-83-0x0000000000000000-mapping.dmp

memory/1560-84-0x0000000000000000-mapping.dmp

memory/2036-85-0x0000000000000000-mapping.dmp

memory/1488-86-0x0000000000000000-mapping.dmp

memory/1036-87-0x0000000000000000-mapping.dmp

memory/768-88-0x0000000000000000-mapping.dmp

memory/1352-89-0x0000000000000000-mapping.dmp

memory/1920-90-0x0000000000000000-mapping.dmp

memory/316-91-0x0000000000000000-mapping.dmp

memory/628-92-0x0000000000000000-mapping.dmp

memory/2056-93-0x0000000000000000-mapping.dmp

memory/2088-94-0x0000000000000000-mapping.dmp

memory/2120-95-0x0000000000000000-mapping.dmp

memory/2152-96-0x0000000000000000-mapping.dmp

memory/2184-97-0x0000000000000000-mapping.dmp

memory/2216-98-0x0000000000000000-mapping.dmp

memory/2248-99-0x0000000000000000-mapping.dmp

memory/2280-100-0x0000000000000000-mapping.dmp

memory/2312-101-0x0000000000000000-mapping.dmp

memory/2344-102-0x0000000000000000-mapping.dmp

memory/2376-103-0x0000000000000000-mapping.dmp

memory/2408-104-0x0000000000000000-mapping.dmp

memory/2440-105-0x0000000000000000-mapping.dmp

memory/2472-106-0x0000000000000000-mapping.dmp

memory/2504-107-0x0000000000000000-mapping.dmp

memory/2548-108-0x0000000000000000-mapping.dmp

memory/2576-109-0x0000000000000000-mapping.dmp

memory/2604-110-0x0000000000000000-mapping.dmp

memory/2644-111-0x0000000000000000-mapping.dmp

memory/2676-112-0x0000000000000000-mapping.dmp

memory/2708-113-0x0000000000000000-mapping.dmp

memory/2740-114-0x0000000000000000-mapping.dmp

memory/2948-115-0x0000000000000000-mapping.dmp

memory/2988-116-0x0000000000000000-mapping.dmp

memory/3020-117-0x0000000000000000-mapping.dmp

memory/2384-118-0x0000000000000000-mapping.dmp

memory/2512-119-0x0000000000000000-mapping.dmp

memory/2660-120-0x0000000000000000-mapping.dmp

memory/2756-121-0x0000000000000000-mapping.dmp

memory/3004-122-0x0000000000000000-mapping.dmp

memory/1904-123-0x0000000000000000-mapping.dmp

memory/2568-124-0x0000000000000000-mapping.dmp

memory/1896-125-0x0000000000000000-mapping.dmp

memory/924-126-0x0000000000000000-mapping.dmp

memory/2656-127-0x0000000000000000-mapping.dmp

memory/3104-128-0x0000000000000000-mapping.dmp

memory/3132-129-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 15:32

Reported

2022-10-29 21:37

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"

Signatures

Imminent RAT

trojan spyware imminent

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr112.exe,explorer.exe" C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4464 set thread context of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4464 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4464 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4464 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4464 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4464 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4464 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4464 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4464 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe

"C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe

C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe

C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
DE 51.116.253.168:443 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp
US 8.8.8.8:53 melonhead361.mooo.com udp

Files

memory/4844-132-0x0000000000000000-mapping.dmp

memory/4844-133-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4928-134-0x0000000000000000-mapping.dmp

memory/4780-135-0x0000000000000000-mapping.dmp

memory/4844-136-0x0000000072FF0000-0x00000000735A1000-memory.dmp

memory/1028-137-0x0000000000000000-mapping.dmp

memory/3456-138-0x0000000000000000-mapping.dmp

memory/2896-139-0x0000000000000000-mapping.dmp

memory/3404-140-0x0000000000000000-mapping.dmp

memory/4192-141-0x0000000000000000-mapping.dmp

memory/3928-142-0x0000000000000000-mapping.dmp

memory/3564-143-0x0000000000000000-mapping.dmp

memory/4232-144-0x0000000000000000-mapping.dmp

memory/636-145-0x0000000000000000-mapping.dmp

memory/4848-146-0x0000000000000000-mapping.dmp

memory/1664-147-0x0000000000000000-mapping.dmp

memory/3212-148-0x0000000000000000-mapping.dmp

memory/1008-149-0x0000000000000000-mapping.dmp

memory/1564-150-0x0000000000000000-mapping.dmp

memory/3628-151-0x0000000000000000-mapping.dmp

memory/1996-152-0x0000000000000000-mapping.dmp

memory/4844-153-0x0000000072FF0000-0x00000000735A1000-memory.dmp

memory/4260-154-0x0000000000000000-mapping.dmp

memory/8-155-0x0000000000000000-mapping.dmp

memory/3640-156-0x0000000000000000-mapping.dmp

memory/3088-157-0x0000000000000000-mapping.dmp

memory/4408-158-0x0000000000000000-mapping.dmp

memory/3964-159-0x0000000000000000-mapping.dmp

memory/4936-160-0x0000000000000000-mapping.dmp

memory/3604-161-0x0000000000000000-mapping.dmp

memory/4552-162-0x0000000000000000-mapping.dmp

memory/756-163-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe

MD5 7132076fe70278fbe2dda128cc366475
SHA1 2f855ab609d76ad9a0e82b57e7989a9a1860dd77
SHA256 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
SHA512 162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51

C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe

MD5 7132076fe70278fbe2dda128cc366475
SHA1 2f855ab609d76ad9a0e82b57e7989a9a1860dd77
SHA256 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
SHA512 162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51

memory/1900-166-0x0000000000000000-mapping.dmp

memory/4980-167-0x0000000000000000-mapping.dmp

memory/3892-168-0x0000000000000000-mapping.dmp

memory/3584-169-0x0000000000000000-mapping.dmp

memory/2468-170-0x0000000000000000-mapping.dmp

memory/944-171-0x0000000000000000-mapping.dmp

memory/3736-172-0x0000000000000000-mapping.dmp

memory/1124-173-0x0000000000000000-mapping.dmp

memory/2080-174-0x0000000000000000-mapping.dmp

memory/3476-175-0x0000000000000000-mapping.dmp

memory/3264-176-0x0000000000000000-mapping.dmp

memory/2116-177-0x0000000000000000-mapping.dmp

memory/3404-178-0x0000000000000000-mapping.dmp

memory/4344-179-0x0000000000000000-mapping.dmp

memory/920-180-0x0000000000000000-mapping.dmp

memory/1704-181-0x0000000000000000-mapping.dmp

memory/1668-182-0x0000000000000000-mapping.dmp

memory/2672-183-0x0000000000000000-mapping.dmp

memory/1416-184-0x0000000000000000-mapping.dmp

memory/4672-185-0x0000000000000000-mapping.dmp

memory/1896-186-0x0000000000000000-mapping.dmp

memory/2488-187-0x0000000000000000-mapping.dmp

memory/1552-188-0x0000000000000000-mapping.dmp

memory/3628-189-0x0000000000000000-mapping.dmp

memory/2540-190-0x0000000000000000-mapping.dmp

memory/932-191-0x0000000000000000-mapping.dmp

memory/2868-192-0x0000000000000000-mapping.dmp

memory/2236-193-0x0000000000000000-mapping.dmp

memory/4924-194-0x0000000000000000-mapping.dmp

memory/3936-195-0x0000000000000000-mapping.dmp

memory/3392-196-0x0000000000000000-mapping.dmp

memory/1288-197-0x0000000000000000-mapping.dmp

memory/3436-198-0x0000000000000000-mapping.dmp

memory/2520-199-0x0000000000000000-mapping.dmp

memory/648-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe

MD5 7132076fe70278fbe2dda128cc366475
SHA1 2f855ab609d76ad9a0e82b57e7989a9a1860dd77
SHA256 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
SHA512 162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51