babylonrat | cfcb583b5a451c22efb64812976ccef1e3532bb6e42447a59e80811bb3473185

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16-10-2023 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8b447396d1c87c0e2831d467d05b7890.exe
Size

1.5MB
MD5

8b447396d1c87c0e2831d467d05b7890
SHA1

c14c2058e88773d77750e698921700340c3e4749
SHA256

cfcb583b5a451c22efb64812976ccef1e3532bb6e42447a59e80811bb3473185
SHA512

5df833e34be46d8d91ea950219980d589e80f7bb6b9a940e290e5312de95b6c2938cf0414f247078365372ff68a15c554c29e2e0df185a8ad34b0ca89818c1b6
SSDEEP

24576:dbCj2sObHtqQ4QqH0XlE654b4fX3fo8wBgNcf:dbCjPKNqQqH0XSucJ

Score

10^/10

babylonrat trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 2 IoCs

pid	Process
3516	HostController.exe
1188	HostController.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2892-8-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-10-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-11-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-12-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-13-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-14-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-19-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-20-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-21-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-22-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2892-28-0x00000000000C0000-0x0000000000189000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x002c000000014b86-35.dat	autoit_exe
behavioral1/files/0x002c000000014b86-36.dat	autoit_exe
behavioral1/files/0x002c000000014b86-55.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 2892	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
640	schtasks.exe
908	schtasks.exe
2752	schtasks.exe
2408	schtasks.exe
2332	schtasks.exe
2064	schtasks.exe
2576	schtasks.exe
3304	schtasks.exe
4064	schtasks.exe
1444	schtasks.exe
2744	schtasks.exe
1920	schtasks.exe
1948	schtasks.exe
3096	schtasks.exe
1908	schtasks.exe
2164	schtasks.exe
1528	schtasks.exe
1368	schtasks.exe
3508	schtasks.exe
1304	schtasks.exe
1920	schtasks.exe
3044	schtasks.exe
4080	schtasks.exe
3936	schtasks.exe
3088	schtasks.exe
2316	schtasks.exe
1604	schtasks.exe
2852	schtasks.exe
852	schtasks.exe
440	schtasks.exe
1772	schtasks.exe
3912	schtasks.exe
2764	schtasks.exe
2420	schtasks.exe
3324	schtasks.exe
3752	schtasks.exe
1596	schtasks.exe
1092	schtasks.exe
2972	schtasks.exe
3268	schtasks.exe
2936	schtasks.exe
2680	schtasks.exe
3068	schtasks.exe
3664	schtasks.exe
592	schtasks.exe
1772	schtasks.exe
1424	schtasks.exe
2072	schtasks.exe
3168	schtasks.exe
2832	schtasks.exe
900	schtasks.exe
2164	schtasks.exe
2736	schtasks.exe
3468	schtasks.exe
2960	schtasks.exe
4032	schtasks.exe
1628	schtasks.exe
3192	schtasks.exe
4052	schtasks.exe
3720	schtasks.exe
1760	schtasks.exe
1884	schtasks.exe
1208	schtasks.exe
3080	schtasks.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2708	PING.EXE
2720	PING.EXE
1876	PING.EXE
2304	PING.EXE
2456	PING.EXE
2936	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2892	NEAS.8b447396d1c87c0e2831d467d05b7890.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2892	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
Token: SeDebugPrivilege	2892	NEAS.8b447396d1c87c0e2831d467d05b7890.exe
Token: SeTcbPrivilege	2892	NEAS.8b447396d1c87c0e2831d467d05b7890.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2892	NEAS.8b447396d1c87c0e2831d467d05b7890.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 848	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	28
PID 3028 wrote to memory of 848	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	28
PID 3028 wrote to memory of 848	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	28
PID 3028 wrote to memory of 848	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	28
PID 848 wrote to memory of 3040	848	cmd.exe	30
PID 848 wrote to memory of 3040	848	cmd.exe	30
PID 848 wrote to memory of 3040	848	cmd.exe	30
PID 848 wrote to memory of 3040	848	cmd.exe	30
PID 3040 wrote to memory of 2708	3040	cmd.exe	32
PID 3040 wrote to memory of 2708	3040	cmd.exe	32
PID 3040 wrote to memory of 2708	3040	cmd.exe	32
PID 3040 wrote to memory of 2708	3040	cmd.exe	32
PID 3028 wrote to memory of 2752	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	33
PID 3028 wrote to memory of 2752	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	33
PID 3028 wrote to memory of 2752	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	33
PID 3028 wrote to memory of 2752	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	33
PID 3028 wrote to memory of 2892	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	35
PID 3028 wrote to memory of 2892	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	35
PID 3028 wrote to memory of 2892	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	35
PID 3028 wrote to memory of 2892	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	35
PID 3028 wrote to memory of 2892	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	35
PID 3028 wrote to memory of 2892	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	35
PID 3028 wrote to memory of 2756	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	36
PID 3028 wrote to memory of 2756	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	36
PID 3028 wrote to memory of 2756	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	36
PID 3028 wrote to memory of 2756	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	36
PID 3040 wrote to memory of 2720	3040	cmd.exe	39
PID 3040 wrote to memory of 2720	3040	cmd.exe	39
PID 3040 wrote to memory of 2720	3040	cmd.exe	39
PID 3040 wrote to memory of 2720	3040	cmd.exe	39
PID 3028 wrote to memory of 2612	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	38
PID 3028 wrote to memory of 2612	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	38
PID 3028 wrote to memory of 2612	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	38
PID 3028 wrote to memory of 2612	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	38
PID 3028 wrote to memory of 2620	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	41
PID 3028 wrote to memory of 2620	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	41
PID 3028 wrote to memory of 2620	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	41
PID 3028 wrote to memory of 2620	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	41
PID 3028 wrote to memory of 2424	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	43
PID 3028 wrote to memory of 2424	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	43
PID 3028 wrote to memory of 2424	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	43
PID 3028 wrote to memory of 2424	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	43
PID 3028 wrote to memory of 852	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	45
PID 3028 wrote to memory of 852	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	45
PID 3028 wrote to memory of 852	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	45
PID 3028 wrote to memory of 852	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	45
PID 3028 wrote to memory of 2848	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	47
PID 3028 wrote to memory of 2848	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	47
PID 3028 wrote to memory of 2848	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	47
PID 3028 wrote to memory of 2848	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	47
PID 3028 wrote to memory of 2980	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	49
PID 3028 wrote to memory of 2980	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	49
PID 3028 wrote to memory of 2980	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	49
PID 3028 wrote to memory of 2980	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	49
PID 3028 wrote to memory of 2284	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	51
PID 3028 wrote to memory of 2284	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	51
PID 3028 wrote to memory of 2284	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	51
PID 3028 wrote to memory of 2284	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	51
PID 3028 wrote to memory of 1772	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	53
PID 3028 wrote to memory of 1772	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	53
PID 3028 wrote to memory of 1772	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	53
PID 3028 wrote to memory of 1772	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	53
PID 3028 wrote to memory of 1964	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	55
PID 3028 wrote to memory of 1964	3028	NEAS.8b447396d1c87c0e2831d467d05b7890.exe	55

C:\Users\Admin\AppData\Local\Temp\NEAS.8b447396d1c87c0e2831d467d05b7890.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8b447396d1c87c0e2831d467d05b7890.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\File.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\PROGRA~3\File.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:2708
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:2720
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:1876
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:2304
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:2456
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:2936
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
      4⤵
      PID:2380
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "HostController" /tr "C:\ProgramData\HostController.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\NEAS.8b447396d1c87c0e2831d467d05b7890.exe
  0
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2892
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2756
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2612
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2620
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2424
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:852
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2848
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2980
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2284
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1772
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1964
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2236
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1588
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2828
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2808
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:772
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1424
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1368
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1184
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2164
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1152
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2692
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2000
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:928
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2072
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1444
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1704
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1920
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:948
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:944
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2896
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2256
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2340
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2952
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1760
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1600
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1608
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1884
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2408
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1916
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1628
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2744
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2716
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2540
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2232
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2596
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2276
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1824
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2764
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2420
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:440
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1908
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2212
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1988
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2856
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2452
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2780
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2316
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1092
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2972
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2828
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2132
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2680
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:928
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2360
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2248
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:880
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1920
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:752
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2728
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2336
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1084
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1208
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2676
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1416
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1612
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2200
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2952
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:964
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1952
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1604
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2900
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2772
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2852
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2836
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2736
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:320
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2232
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2552
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:640
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1948
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1764
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1716
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2916
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3044
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2880
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2936
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1640
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2332
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1220
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3096
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3124
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3160
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3192
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3236
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3268
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3368
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3408
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3468
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3544
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3580
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3616
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3644
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3672
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3708
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3736
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3784
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3812
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3848
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3884
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3912
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3948
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3988
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4024
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4052
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4080
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1832
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3304
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2356
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2236
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2296
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3400
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2972
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2700
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3324
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1772
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1908
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2912
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3408
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3168
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2284
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3268
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3656
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3444
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2452
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3612
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2064
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2832
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2880
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2504
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2552
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3720
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2744
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3140
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3088
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3780
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3508
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1900
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2960
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3068
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2164
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3196
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3104
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1108
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1304
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3768
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1052
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1528
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2900
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1160
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2416
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2572
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2008
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2172
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1428
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1996
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1624
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3936
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2948
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4064
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2576
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1368
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1812
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2028
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:640
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2496
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3616
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4008
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3772
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3816
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3664
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3752
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4068
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3912
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3908
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:592
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3540
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2692
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4032
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2016
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3080
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:908
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2936
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3852
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4000
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1596
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1500
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3316
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:852
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1884
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3728
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:932
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3556
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:900

C:\Windows\system32\taskeng.exe
taskeng.exe {D51F0F90-8585-4071-8CED-DD0D3715568A} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]
1⤵
PID:912
- C:\ProgramData\HostController.exe
  C:\ProgramData\HostController.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\ProgramData\HostController.exe
  C:\ProgramData\HostController.exe
  2⤵
  - Executes dropped EXE
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\File.bat

Filesize
761B

MD5
583540fd7a2b1c752b10e55c64a0cb00

SHA1
f1d600b36e4c751e71817590a5f02fddc7c0dc4e

SHA256
e2fb0ed137bfacc99f4f879445de3fe61ea469bf382007c8af2611c0879f1ca6

SHA512
db88afc9fdfc86c6026ed0d0e445d720bc0cde682266d3edd2d083a531c5ea91a85dc3075719dd91ac485eff1ed19d3e641f4509945b5a7dd6d322ae730d7a04

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
d1aeee6815f830f1b1a511bf63e4bef3

SHA1
ea9d5507fadb7190c2cbf42199c619b61e0bfbab

SHA256
a82188d0cc7aa798b360259c58855c8e46a66ef55c9ffe423321e352afba32d9

SHA512
a22ac3548a5f2d1b600c1daca8b812f9feac69e7d4f8b489b7bc9ed54c90d072fc46272b07664c279202bedf583deb65f7d34ac6c306bec89b237de40ad9992f

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
d1aeee6815f830f1b1a511bf63e4bef3

SHA1
ea9d5507fadb7190c2cbf42199c619b61e0bfbab

SHA256
a82188d0cc7aa798b360259c58855c8e46a66ef55c9ffe423321e352afba32d9

SHA512
a22ac3548a5f2d1b600c1daca8b812f9feac69e7d4f8b489b7bc9ed54c90d072fc46272b07664c279202bedf583deb65f7d34ac6c306bec89b237de40ad9992f

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
d1aeee6815f830f1b1a511bf63e4bef3

SHA1
ea9d5507fadb7190c2cbf42199c619b61e0bfbab

SHA256
a82188d0cc7aa798b360259c58855c8e46a66ef55c9ffe423321e352afba32d9

SHA512
a22ac3548a5f2d1b600c1daca8b812f9feac69e7d4f8b489b7bc9ed54c90d072fc46272b07664c279202bedf583deb65f7d34ac6c306bec89b237de40ad9992f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
140B

MD5
a5b9abb102d92b9b384a76ba6f92844c

SHA1
7776eab88801c625974a699aa6719200440cba0c

SHA256
76b962c2991667590055ce22e62e9b307063e486b79cf70da4f9fc90ef73b51e

SHA512
589110ca2c292037fbe2780fb4870d90f3899a29bc7a9face35ae1d448a109311ab345a93527614447f61d3c957b3a4f7c0786c18d95dae0c3ddcd6dd9e16382

Download Submit
memory/2892-14-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-12-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-13-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-11-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-10-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-19-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-20-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-21-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-22-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-28-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-8-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2892-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-4-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download